Undefined Behavior for Input to API

CVE-2024-10569

High

7.5/10

Summary

A vulnerability in the dataframe component of gradio-app/gradio allows for a zip bomb attack. The component uses "pd.read_csv" to process input values, which can accept compressed files. An attacker can exploit this by uploading a maliciously crafted zip bomb, leading to a server crash and causing a Denial of Service (DoS). This issue affects versions 4.0.0b15 and after.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-475 - Undefined Behavior for Input to API

The behavior of this function is undefined unless its control parameter is set to a specific value.

References

Advisory
Disclosure

Advisory Timeline

Published Mar 20, 2025

Undefined Behavior for Input to API

CVE-2024-10569

Summary

CWE-475 - Undefined Behavior for Input to API

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS