AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-23042: Gradio is an open-source Python package that allows quick building of demos and web application for machine learning mod

highvulnerability

security

Source: NVD/CVE DatabaseJanuary 14, 2025CVE-2025-23042

Summary

Gradio, an open-source Python package for building web applications around machine learning models, has a security flaw in its Access Control List (ACL, a system that controls which files users can access). Attackers can bypass this protection on Windows and macOS by changing the capitalization of file paths, since these operating systems treat uppercase and lowercase letters as the same in file names. This allows unauthorized access to sensitive files that should be blocked.

Solution / Mitigation

This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-285

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: February 15, 2026 at 08:47 PM

Classified by LLM (prompt v3) · confidence: 92%