CVE-2024-47164: Gradio's `is_in_or_equal` function may be bypassed

October 10, 2024 (updated October 11, 2024)

What kind of vulnerability is it? Who is impacted?

This vulnerability relates to the bypass of directory traversal checks within the is_in_or_equal function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using .. (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. This primarily impacts users relying on Gradio’s blocklist or directory access validation, particularly when handling file uploads.

References

github.com/advisories/GHSA-77xq-6g77-h274
github.com/gradio-app/gradio
github.com/gradio-app/gradio/commit/08b51590163b306fd874f543f6fcaf23ac7d2646
github.com/gradio-app/gradio/security/advisories/GHSA-77xq-6g77-h274
nvd.nist.gov/vuln/detail/CVE-2024-47164

Detect and mitigate CVE-2024-47164 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →