Path traversal in Gradio - CVE-2024-47166
Published: October 10, 2024 / Updated: April 28, 2026
Gradio
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the /custom_component endpoint when processing a manipulated file path in a request. A remote attacker can send a specially crafted request to disclose sensitive information.
The traversal is limited to a single directory level and can expose source code from custom Gradio components.