{"data":{"id":"f6494603-8755-432e-b36b-36336f71a297","title":"CVE-2024-47164: Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of di","summary":"Gradio, an open-source Python package for building AI demos, has a vulnerability in its directory traversal check function that can be bypassed using special file path sequences (like `..` which means \"go up one folder\"). This could allow attackers to access files they shouldn't be able to reach, especially when uploading files, though exploiting it is difficult.","solution":"Upgrade to `gradio>=5.0` to address this issue. As a workaround, manually sanitize and normalize file paths in your Gradio deployment before passing them to the `is_in_or_equal` function, ensuring all file paths are properly resolved as absolute paths (complete paths starting from the root) to mitigate the bypass vulnerabilities.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-47164","publishedAt":"2024-10-11T02:15:10.437Z","cveId":"CVE-2024-47164","cweIds":["CWE-22"],"cvssScore":"6.5","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00202,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}