CVE-2024-47166: Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read p
Summary
Gradio, an open-source Python package for building quick demos, has a vulnerability called path traversal (a method where attackers manipulate file paths to access files outside their intended directory) in its `/custom_component` endpoint. Attackers can exploit this to read and leak source code from custom Gradio components, potentially exposing sensitive code that developers wanted to keep private, particularly affecting those hosting custom components on public servers.
Solution / Mitigation
Users should upgrade to `gradio>=4.44`. As a workaround, developers can sanitize file paths and ensure that components are not stored in publicly accessible directories.
Vulnerability Details
5.3(medium)
EPSS: 0.2%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-47166
First tracked: February 15, 2026 at 08:47 PM
Classified by LLM (prompt v3) · confidence: 95%