CVE-2024-47166

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Oct 10, 2024

Updated: Oct 17, 2024

CWE ID 22

Summary

CVE-2024-47166 is a vulnerability affecting the Gradio open-source Python package. This issue involves a one-level read path traversal in the `/custom_component` endpoint, allowing attackers to access and leak source code from custom Gradio components. Though the traversal is limited to a single directory level, it could potentially expose sensitive or proprietary code. Users who have developed custom Gradio components and host them on publicly accessible servers are at risk. To mitigate this vulnerability, it is recommended to upgrade to `gradio>=4.44` or to sanitize file paths and ensure components are not stored in publicly accessible directories.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

Gradio Project Gradio

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners