Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and involves the component_meta.py component processing input in a way that allows injection and execution of arbitrary code. An attacker can provide a crafted payload that will be interpreted and executed by the application. The vendor (Gradio Project) questions the report, pointing out that the described scenario does not pose a real threat to other users, as the attacker would have to target their own environment.
If the vulnerability is successfully exploited, the attacker can gain full control over the confidentiality, integrity, and availability of the system (CVSS vector scores C:H/I:H/A:H), which potentially includes arbitrary code execution on the server.
Patches available from the vendor should be applied according to the references. Due to the vendor's dispute regarding the validity of the vulnerability, it is recommended to monitor official Gradio project communications and update to the latest available version of the library.
Gradio version 4.36.1 (Gradio Project)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGradio Project Gradio
APPGradio Project4.36.1
Related vulnerabilities
Command Injection w workflow CI/CD repozytorium Gradio (GitHub Actions)
Path Traversal (LFI) w Gradio poprzez złośliwą wartość JSON w API
Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() metho...
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform...
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps runn...