{"data":{"id":"8e8b358b-80ed-43b0-a427-5ea1212c0b47","title":"CVE-2024-4941: A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability a","summary":"Gradio version 4.25 has a local file inclusion vulnerability (a security flaw where attackers can read files they shouldn't access) in its JSON component. The problem occurs because the `postprocess()` function doesn't properly validate user input before parsing it as JSON, and if the JSON contains a `path` key, the system automatically moves that file to a temporary directory where attackers can retrieve it using the `/file=..` endpoint.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-4941","publishedAt":"2024-06-06T22:15:18.783Z","cveId":"CVE-2024-4941","cweIds":["CWE-22"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00765,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}