Input validation error in Gradio - CVE-2024-47868
Published: October 10, 2024 / Updated: April 28, 2026
Gradio
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper input validation in several Gradio components' post-processing and preprocessing logic when handling crafted component input that is converted to or read as file data. A remote attacker can send a specially crafted request with an arbitrary file path to disclose sensitive information.
The issue affects components that return or handle file data, including DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton, Chatbot, MultimodalTextbox, Code, ParamViewer, and Dataset.