Workflow

PyPi: Gradio

CVE-2023-34239

Safety vulnerability ID: 58902

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 08, 2023 Updated at Jun 09, 2024
Scan your Python projects for vulnerabilities →

Advisory

Gradio 3.34.0 includes a fix for a path traversal vulnerability.
https://github.com/gradio-app/gradio/pull/4370
https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695

Affected package

gradio

Latest version: 4.36.1

Python library for easily interacting with trained machine learning models

Affected versions

Fixed versions

Vulnerability changelog

New Features:

- Introduced `gradio deploy` to launch a Gradio app to Spaces directly from your terminal. By [aliabid94](https://github.com/aliabid94) in [PR 4033](https://github.com/gradio-app/gradio/pull/4033).


Bug Fixes:

- Make `Blocks.load` behave like other event listeners (allows chaining `then` off of it) [anentropic](https://github.com/anentropic/) in [PR 4304](https://github.com/gradio-app/gradio/pull/4304)
- Respect `interactive=True` in output components of a `gr.Interface` by [abidlabs](https://github.com/abidlabs) in [PR 4356](https://github.com/gradio-app/gradio/pull/4356).
- Remove unused frontend code by [akx](https://github.com/akx) in [PR 4275](https://github.com/gradio-app/gradio/pull/4275)
- Fixes favicon path on Windows by [abidlabs](https://github.com/abidlabs) in [PR 4369](https://github.com/gradio-app/gradio/pull/4369).
- Prevent path traversal in `/file` routes by [abidlabs](https://github.com/abidlabs) in [PR 4370](https://github.com/gradio-app/gradio/pull/4370).
- Do not send HF token to other domains via `/proxy` route by [abidlabs](https://github.com/abidlabs) in [PR 4368](https://github.com/gradio-app/gradio/pull/4368).
- Replace default `markedjs` sanitize function with DOMPurify sanitizer for `gr.Chatbot()` by [dawoodkhan82](https://github.com/dawoodkhan82) in [PR 4360](https://github.com/gradio-app/gradio/pull/4360)
- Prevent the creation of duplicate copy buttons in the chatbot and ensure copy buttons work in non-secure contexts by [binary-husky](https://github.com/binary-husky) in [PR 4350](https://github.com/gradio-app/gradio/pull/4350).

Other Changes:

- Performance optimization in the frontend's Blocks code by [akx](https://github.com/akx) in [PR 4334](https://github.com/gradio-app/gradio/pull/4334)

Breaking Changes:

- The `/file=` route no longer allows accessing dotfiles or files in "dot directories" by [akx](https://github.com/akx) in [PR 4303](https://github.com/gradio-app/gradio/pull/4303)

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.1

CVSS v3 Details

CRITICAL 9.1
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
NONE