Improper access control in Gradio - CVE-2025-23042
Published: January 14, 2025 / Updated: April 28, 2026
Gradio
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the blocked_paths file path validation logic when handling file access requests with case-altered paths on case-insensitive file systems. A remote attacker can request a specially crafted file path to disclose sensitive information.
Only deployments on case-insensitive file systems, such as Windows and macOS, are affected.