Input validation error in Gradio - CVE-2024-47868

 

Input validation error in Gradio - CVE-2024-47868

Published: October 10, 2024 / Updated: April 28, 2026


Vulnerability identifier: #VU128281
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-47868
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Gradio
Affected software:
Gradio

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper input validation in several Gradio components' post-processing and preprocessing logic when handling crafted component input that is converted to or read as file data. A remote attacker can send a specially crafted request with an arbitrary file path to disclose sensitive information.

The issue affects components that return or handle file data, including DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton, Chatbot, MultimodalTextbox, Code, ParamViewer, and Dataset.


How to mitigate CVE-2024-47868

Install security update from vendor's website.

Sources