Path traversal in Gradio - CVE-2024-47164
Published: October 10, 2024 / Updated: April 28, 2026
Gradio
Detailed vulnerability description
The vulnerability allows a remote attacker to access restricted files.
The vulnerability exists due to path traversal in the is_in_or_equal function when handling file paths containing parent directory sequences. A remote attacker can supply a specially crafted path to access restricted files.
This primarily affects deployments relying on blocklist or directory access validation, particularly when handling file uploads.