Path Traversal: '\..\filename' in gradio

CVE-2024-10648

gradio

High

8.2/10

Summary

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of versions 3.45.0b12 through 3.45.0b13 and 4.0.0b15 and after. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output format, an attacker can reset any file to an empty file, causing a Denial-of-Service (DoS) on the server.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-29 - Path Traversal: '\..\filename'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

References

Advisory Timeline

Published Mar 20, 2025

Path Traversal: '\..\filename' in gradio

CVE-2024-10648

Summary

CWE-29 - Path Traversal: '\..\filename'

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS