{"id":"CVE-2024-51751","summary":"Arbitrary file read with File and UploadButton components in Gradio","details":"Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. This issue has been addressed in release version 5.5.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-rhm9-gp5p-5248","PYSEC-2024-275"],"modified":"2026-05-20T08:11:27.099849899Z","published":"2024-11-06T19:11:38.731Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51751.json","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51751.json"},{"type":"ADVISORY","url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51751"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gradio-app/gradio","events":[{"introduced":"bbf9ba7e997022960c621f72baa891185bd03732"},{"fixed":"b5eaba1d6d6938197f105e5906a07fe2b2bba704"}]}],"versions":["@gradio/accordion@0.4.0","@gradio/accordion@0.4.1","@gradio/accordion@0.4.2","@gradio/accordion@0.4.3","@gradio/accordion@0.4.4","@gradio/accordion@0.4.5","@gradio/annotatedimage@0.8.0","@gradio/annotatedimage@0.8.1","@gradio/annotatedimage@0.8.2","@gradio/annotatedimage@0.8.3","@gradio/annotatedimage@0.8.4","@gradio/annotatedimage@0.8.5","@gradio/annotatedimage@0.8.6","@gradio/atoms@0.10.0","@gradio/atoms@0.10.1","@gradio/atoms@0.9.0","@gradio/atoms@0.9.1","@gradio/atoms@0.9.2","@gradio/audio@0.14.0","@gradio/audio@0.14.1","@gradio/audio@0.14.2","@gradio/audio@0.14.3","@gradio/audio@0.14.4","@gradio/audio@0.14.5","@gradio/audio@0.14.6","@gradio/box@0.2.0","@gradio/box@0.2.1","@gradio/box@0.2.2","@gradio/box@0.2.3","@gradio/box@0.2.4","@gradio/button@0.3.0","@gradio/button@0.3.1","@gradio/button@0.3.2","@gradio/button@0.3.3","@gradio/button@0.3.4","@gradio/button@0.3.5","@gradio/chatbot@0.14.0","@gradio/chatbot@0.14.1","@gradio/chatbot@0.14.2","@gradio/chatbot@0.15.0","@gradio/chatbot@0.15.1","@gradio/chatbot@0.15.2","@gradio/chatbot@0.16.0","@gradio/chatbot@0.16.1","@gradio/checkbox@0.4.0","@gradio/checkbox@0.4.1","@gradio/checkbox@0.4.2","@gradio/checkbox@0.4.3","@gradio/checkbox@0.4.4","@gradio/checkbox@0.4.5","@gradio/checkboxgroup@0.6.0","@gradio/checkboxgroup@0.6.1","@gradio/checkboxgroup@0.6.2","@gradio/checkboxgroup@0.6.3","@gradio/checkboxgroup@0.6.4","@gradio/checkboxgroup@0.6.5","@gradio/client@1.6.0","@gradio/client@1.7.0","@gradio/client@1.7.1","@gradio/code@0.10.0","@gradio/code@0.10.1","@gradio/code@0.10.2","@gradio/code@0.10.3","@gradio/code@0.10.4","@gradio/code@0.10.5","@gradio/code@0.10.6","@gradio/colorpicker@0.4.0","@gradio/colorpicker@0.4.1","@gradio/colorpicker@0.4.2","@gradio/colorpicker@0.4.3","@gradio/colorpicker@0.4.4","@gradio/colorpicker@0.4.5","@gradio/column@0.2.0","@gradio/core@0.1.0","@gradio/core@0.1.1","@gradio/core@0.2.0","@gradio/core@0.2.1","@gradio/dataframe@0.11.0","@gradio/dataframe@0.11.1","@gradio/dataframe@0.11.2","@gradio/dataframe@0.11.3","@gradio/dataframe@0.11.4","@gradio/dataframe@0.12.0","@gradio/dataframe@0.12.1","@gradio/dataset@0.3.0","@gradio/dataset@0.3.1","@gradio/dataset@0.3.2","@gradio/dataset@0.3.3","@gradio/dataset@0.3.4","@gradio/dataset@0.3.5","@gradio/dataset@0.3.6","@gradio/dataset@0.3.7","@gradio/datetime@0.2.0","@gradio/datetime@0.2.1","@gradio/datetime@0.2.2","@gradio/datetime@0.2.3","@gradio/datetime@0.2.4","@gradio/datetime@0.2.5","@gradio/downloadbutton@0.2.0","@gradio/downloadbutton@0.2.1","@gradio/downloadbutton@0.2.2","@gradio/downloadbutton@0.2.3","@gradio/downloadbutton@0.2.4","@gradio/downloadbutton@0.2.5","@gradio/dropdown@0.8.0","@gradio/dropdown@0.8.1","@gradio/dropdown@0.9.0","@gradio/dropdown@0.9.1","@gradio/dropdown@0.9.2","@gradio/dropdown@0.9.3","@gradio/fallback@0.4.0","@gradio/fallback@0.4.1","@gradio/fallback@0.4.2","@gradio/fallback@0.4.3","@gradio/fallback@0.4.4","@gradio/fallback@0.4.5","@gradio/file@0.10.0","@gradio/file@0.10.1","@gradio/file@0.10.2","@gradio/file@0.10.3","@gradio/file@0.10.4","@gradio/file@0.10.5","@gradio/file@0.10.6","@gradio/fileexplorer@0.5.0","@gradio/fileexplorer@0.5.1","@gradio/fileexplorer@0.5.2","@gradio/fileexplorer@0.5.3","@gradio/fileexplorer@0.5.4","@gradio/fileexplorer@0.5.5","@gradio/fileexplorer@0.5.6","@gradio/form@0.2.0","@gradio/form@0.2.1","@gradio/form@0.2.2","@gradio/form@0.2.3","@gradio/form@0.2.4","@gradio/gallery@0.13.0","@gradio/gallery@0.13.1","@gradio/gallery@0.13.2","@gradio/gallery@0.13.3","@gradio/gallery@0.13.4","@gradio/gallery@0.13.5","@gradio/gallery@0.13.6","@gradio/group@0.2.0","@gradio/highlightedtext@0.8.0","@gradio/highlightedtext@0.8.1","@gradio/highlightedtext@0.8.2","@gradio/highlightedtext@0.8.3","@gradio/highlightedtext@0.8.4","@gradio/highlightedtext@0.8.5","@gradio/html@0.4.0","@gradio/html@0.4.1","@gradio/html@0.4.2","@gradio/html@0.4.3","@gradio/html@0.4.4","@gradio/html@0.4.5","@gradio/icons@0.8.0","@gradio/icons@0.8.1","@gradio/image@0.16.0","@gradio/image@0.16.1","@gradio/image@0.16.2","@gradio/image@0.16.3","@gradio/image@0.16.4","@gradio/image@0.16.5","@gradio/image@0.16.6","@gradio/imageeditor@0.11.0","@gradio/imageeditor@0.11.1","@gradio/imageeditor@0.11.2","@gradio/imageeditor@0.11.3","@gradio/imageeditor@0.11.4","@gradio/imageeditor@0.11.5","@gradio/imageeditor@0.11.6","@gradio/json@0.5.1","@gradio/json@0.5.2","@gradio/json@0.5.3","@gradio/json@0.5.4","@gradio/json@0.5.5","@gradio/label@0.4.0","@gradio/label@0.4.1","@gradio/label@0.4.2","@gradio/label@0.4.3","@gradio/label@0.4.4","@gradio/label@0.4.5","@gradio/lite@4.43.1","@gradio/lite@4.43.2","@gradio/lite@5.4.0","@gradio/markdown-code@0.2.0","@gradio/markdown-code@0.2.1","@gradio/markdown@0.10.0","@gradio/markdown@0.10.1","@gradio/markdown@0.10.2","@gradio/markdown@0.10.3","@gradio/markdown@0.11.0","@gradio/markdown@0.11.1","@gradio/model3d@0.13.0","@gradio/model3d@0.13.1","@gradio/model3d@0.13.2","@gradio/model3d@0.13.3","@gradio/model3d@0.13.4","@gradio/model3d@0.13.5","@gradio/model3d@0.13.6","@gradio/multimodaltextbox@0.6.0","@gradio/multimodaltextbox@0.6.1","@gradio/multimodaltextbox@0.6.2","@gradio/multimodaltextbox@0.7.0","@gradio/multimodaltextbox@0.7.1","@gradio/multimodaltextbox@0.7.2","@gradio/multimodaltextbox@0.7.3","@gradio/multimodaltextbox@0.7.4","@gradio/nativeplot@0.4.0","@gradio/nativeplot@0.4.1","@gradio/nativeplot@0.4.2","@gradio/nativeplot@0.4.3","@gradio/nativeplot@0.4.4","@gradio/nativeplot@0.4.5","@gradio/number@0.5.0","@gradio/number@0.5.1","@gradio/number@0.5.2","@gradio/number@0.5.3","@gradio/number@0.5.4","@gradio/number@0.5.5","@gradio/paramviewer@0.5.0","@gradio/paramviewer@0.5.1","@gradio/paramviewer@0.5.2","@gradio/paramviewer@0.5.3","@gradio/paramviewer@0.5.4","@gradio/paramviewer@0.5.5","@gradio/plot@0.7.0","@gradio/plot@0.7.1","@gradio/plot@0.7.2","@gradio/plot@0.7.3","@gradio/plot@0.8.0","@gradio/plot@0.9.0","@gradio/preview@0.12.0","@gradio/preview@0.12.1","@gradio/preview@0.13.0","@gradio/radio@0.6.0","@gradio/radio@0.6.1","@gradio/radio@0.6.2","@gradio/radio@0.6.3","@gradio/radio@0.6.4","@gradio/radio@0.6.5","@gradio/row@0.2.0","@gradio/sanitize@0.1.1","@gradio/sanitize@0.1.2","@gradio/sanitize@0.1.3","@gradio/simpledropdown@0.3.0","@gradio/simpledropdown@0.3.1","@gradio/simpledropdown@0.3.2","@gradio/simpledropdown@0.3.3","@gradio/simpledropdown@0.3.4","@gradio/simpledropdown@0.3.5","@gradio/simpleimage@0.8.0","@gradio/simpleimage@0.8.1","@gradio/simpleimage@0.8.2","@gradio/simpleimage@0.8.3","@gradio/simpleimage@0.8.4","@gradio/simpleimage@0.8.5","@gradio/simpleimage@0.8.6","@gradio/simpletextbox@0.3.0","@gradio/simpletextbox@0.3.1","@gradio/simpletextbox@0.3.2","@gradio/simpletextbox@0.3.3","@gradio/simpletextbox@0.3.4","@gradio/simpletextbox@0.3.5","@gradio/slider@0.5.0","@gradio/slider@0.5.1","@gradio/slider@0.5.2","@gradio/slider@0.5.3","@gradio/slider@0.5.4","@gradio/slider@0.5.5","@gradio/statustracker@0.8.0","@gradio/statustracker@0.8.1","@gradio/statustracker@0.9.0","@gradio/statustracker@0.9.1","@gradio/statustracker@0.9.2","@gradio/statustracker@0.9.3","@gradio/tabitem@0.3.0","@gradio/tabitem@0.3.1","@gradio/tabitem@0.3.2","@gradio/tabitem@0.3.3","@gradio/tabs@0.3.0","@gradio/tabs@0.3.1","@gradio/tabs@0.3.2","@gradio/tabs@0.3.3","@gradio/textbox@0.7.1","@gradio/textbox@0.8.0","@gradio/textbox@0.8.1","@gradio/textbox@0.8.2","@gradio/textbox@0.8.3","@gradio/textbox@0.8.4","@gradio/theme@0.3.0","@gradio/timer@0.4.0","@gradio/upload@0.13.0","@gradio/upload@0.13.1","@gradio/upload@0.13.2","@gradio/upload@0.13.3","@gradio/upload@0.13.4","@gradio/upload@0.13.5","@gradio/uploadbutton@0.7.0","@gradio/uploadbutton@0.7.1","@gradio/uploadbutton@0.7.2","@gradio/uploadbutton@0.7.3","@gradio/uploadbutton@0.7.4","@gradio/uploadbutton@0.7.5","@gradio/utils@0.7.0","@gradio/video@0.11.0","@gradio/video@0.11.1","@gradio/video@0.11.2","@gradio/video@0.11.3","@gradio/video@0.11.4","@gradio/video@0.11.5","@gradio/video@0.11.6","@gradio/wasm@0.14.0","@gradio/wasm@0.14.1","@gradio/wasm@0.14.2","@self/app@1.41.0","@self/app@1.41.1","@self/app@1.41.2","@self/app@1.42.0","@self/app@1.42.1","@self/app@1.43.0","@self/build@0.1.0","@self/build@0.1.1","@self/build@0.2.0","@self/component-test@0.2.0","@self/component-test@0.2.1","@self/component-test@0.2.2","@self/component-test@0.2.3","@self/component-test@0.2.4","@self/component-test@0.2.5","@self/component-test@0.3.0","@self/spa@0.1.0","@self/spa@0.2.0","@self/storybook@0.7.0","@self/storybook@0.8.0","@self/tootils@0.7.0","@self/tootils@0.7.1","@self/tootils@0.7.2","@self/tootils@0.7.3","@self/tootils@0.7.4","@self/tootils@0.7.5","@self/tootils@0.7.6","gradio@5.0.0","gradio@5.0.1","gradio@5.0.2","gradio@5.1.0","gradio@5.2.0","gradio@5.2.1","gradio@5.3.0","gradio@5.4.0","gradio_client@1.4.0","gradio_client@1.4.1","gradio_client@1.4.2","website@0.40.0","website@0.40.1","website@0.40.2","website@0.40.3","website@0.41.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51751.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}