{"data":{"id":"6c0c6579-9342-4255-81c3-ab94cbe9fea0","title":"CVE-2024-0964: A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API reques","summary":"CVE-2024-0964 is a vulnerability in Gradio (an AI tool library) where an attacker can remotely read files from a server by sending a specially crafted JSON request. The flaw exists because Gradio doesn't properly limit which files users can access through its API, allowing attackers to bypass directory restrictions and read sensitive files they shouldn't be able to reach.","solution":"A patch is available at https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70, which addresses the path traversal vulnerability (CWE-22, improper limitation of pathname access).","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-0964","publishedAt":"2024-02-06T04:15:08.190Z","cveId":"CVE-2024-0964","cweIds":["CWE-22","CWE-22"],"cvssScore":"9.4","cvssSeverity":"critical","severity":"critical","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00147,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}