{"id":"GHSA-prpg-p95c-32fv","summary":"Gradio Path Traversal vulnerability","details":"A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.","aliases":["CVE-2024-12217"],"modified":"2025-03-21T17:43:17.170420Z","published":"2025-03-20T12:32:42Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-22","CWE-41"],"severity":"MODERATE","nvd_published_at":"2025-03-20T10:15:27Z","github_reviewed_at":"2025-03-21T17:12:10Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12217"},{"type":"PACKAGE","url":"https://github.com/gradio-app/gradio"},{"type":"WEB","url":"https://github.com/gradio-app/gradio/blob/67e4044c9ca8358eceeb1fa72fa415df03397d20/gradio/utils.py#L1061-L1074"},{"type":"WEB","url":"https://huntr.com/bounties/0439bf3d-cb38-43a5-8314-0fadf85cc5a0"}],"affected":[{"package":{"name":"gradio","ecosystem":"PyPI","purl":"pkg:pypi/gradio"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.0.1"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.4.0","0.4.1","0.4.2","0.4.4","0.5.0","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.8.0","0.8.1","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9.2","0.9.9.3","0.9.9.5","0.9.9.6","0.9.9.7","0.9.9.8","0.9.9.9","0.9.9.9.2","1.0.0","1.0.0a1","1.0.0a3","1.0.0a4","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.8","1.1.8.1","1.1.9","1.2.2","1.2.3","1.3.0","1.3.1","1.3.2","1.4.0","1.4.2","1.4.3","1.4.4","1.5.0","1.5.1","1.5.3","1.5.4","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.7.5","1.7.6","1.7.7","2.0.0","2.0.1","2.0.10","2.0.2","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.1","2.1.2","2.1.4","2.1.6","2.1.7","2.2.0","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9a0","2.2.9a2","2.3.0","2.3.0a0","2.3.0b101","2.3.0b102","2.3.0b99","2.3.3","2.3.4","2.3.5","2.3.5b0","2.3.6","2.3.7","2.3.7b0","2.3.7b1","2.3.7b2","2.3.8b0","2.3.9","2.4.0","2.4.0a0","2.4.1","2.4.2","2.4.4","2.4.5","2.4.6","2.4.7b0","2.4.7b2","2.4.7b3","2.4.7b4","2.4.7b5","2.4.7b6","2.4.7b7","2.4.7b8","2.4.7b9","2.5.0","2.5.1","2.5.2","2.5.3","2.5.8a0","2.6.0","2.6.1","2.6.1a0","2.6.1b0","2.6.1b3","2.6.2","2.6.3","2.6.4","2.6.4b0","2.6.4b2","2.6.4b3","2.7.0","2.7.0a101","2.7.0a102","2.7.0b70","2.7.5","2.7.5.1","2.7.5.2","2.7.5.2b0","2.8.0","2.8.0a100","2.8.0b0","2.8.0b10","2.8.0b12","2.8.0b2","2.8.0b20","2.8.0b22","2.8.0b3","2.8.0b4","2.8.0b5","2.8.0b6","2.8.1","2.8.10","2.8.11","2.8.12","2.8.13","2.8.14","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.0.1","2.9.0b0","2.9.0b1","2.9.0b10","2.9.0b2","2.9.0b3","2.9.0b5","2.9.0b6","2.9.0b7","2.9.0b8","2.9.0b9","2.9.1","2.9.2","2.9.3","2.9.4","2.9b11","2.9b12","2.9b13","2.9b14","2.9b15","2.9b20","2.9b21","2.9b22","2.9b23","2.9b24","2.9b25","2.9b26","2.9b27","2.9b28","2.9b30","2.9b31","2.9b32","2.9b33","2.9b40","2.9b48","2.9b50","3.0","3.0.1","3.0.10","3.0.10b16","3.0.10b2","3.0.11","3.0.11b1","3.0.12","3.0.13","3.0.13b100","3.0.13b13","3.0.13b15","3.0.14","3.0.15","3.0.16","3.0.17","3.0.18","3.0.18b0","3.0.19","3.0.19b0","3.0.19b1","3.0.19b2","3.0.1b120","3.0.1b121","3.0.1b300","3.0.2","3.0.20","3.0.20.dev0","3.0.21","3.0.22","3.0.23","3.0.23.dev1","3.0.24","3.0.25","3.0.26","3.0.3","3.0.4","3.0.5","3.0.6","3.0.6b1","3.0.6b2","3.0.6b3","3.0.7","3.0.8","3.0.8b1","3.0.9","3.0.9b10","3.0.9b11","3.0.9b20","3.0b0","3.0b1","3.0b10","3.0b2","3.0b5","3.0b6","3.0b8","3.0b9","3.1.0","3.1.1","3.1.2","3.1.3","3.1.3a0","3.1.3a2","3.1.3a3","3.1.3a4","3.1.3a5","3.1.4","3.1.4b0","3.1.4b1","3.1.4b2","3.1.4b3","3.1.4b4","3.1.4b5","3.1.5","3.1.5b1","3.1.5b10","3.1.5b2","3.1.5b3","3.1.5b4","3.1.5b5","3.1.5b7","3.1.5b8","3.1.5b9","3.1.6","3.1.6b1","3.1.7","3.1.8b0","3.1.8b2","3.1.8b3","3.1.8b4","3.1.8b6","3.10.0","3.10.1","3.11.0","3.12.0","3.12.0b1","3.12.0b2","3.12.0b3","3.12.0b6","3.12.0b7","3.13.0","3.13.0b1","3.13.1","3.13.1b0","3.13.1b1","3.13.1b2","3.13.2","3.14.0","3.14.0a1","3.15.0","3.16.0","3.16.1","3.16.1b1","3.16.2","3.17.0","3.17.1","3.17.1b1","3.17.1b2","3.18.0","3.18.1b1","3.18.1b2","3.18.1b3","3.18.1b4","3.18.1b5","3.18.1b6","3.18.1b7","3.19.0","3.19.1","3.2","3.2.1b0","3.2.1b1","3.2.1b2","3.20.0","3.20.0b1","3.20.0b2","3.20.1","3.21.0","3.22.0","3.22.1","3.22.1b1","3.23.0","3.23.1b1","3.23.1b2","3.23.1b3","3.24.0","3.24.1","3.25.0","3.25.1b1","3.25.1b2","3.26.0","3.27.0","3.28.0","3.28.1","3.28.2","3.28.3","3.28.4b0","3.29.0","3.3","3.3.1","3.30.0","3.31.0","3.32.0","3.33.0","3.33.1","3.34.0","3.35.0","3.35.1","3.35.2","3.36.0","3.36.1","3.37.0","3.38.0","3.39.0","3.3b0","3.3b1","3.4","3.4.1","3.40.0","3.40.1","3.41.0","3.41.1","3.41.2","3.42.0","3.43.0","3.43.1","3.43.2","3.44.0","3.44.1","3.44.2","3.44.3","3.44.4","3.45.0","3.45.0b0","3.45.0b10","3.45.0b11","3.45.0b12","3.45.0b13","3.45.0b9","3.45.1","3.45.2","3.46.0","3.46.1","3.47.0","3.47.1","3.48.0","3.49.0","3.4b0","3.4b1","3.4b2","3.4b3","3.4b5","3.5","3.50.0","3.50.1","3.50.2","3.6","3.6.0b1","3.6.0b10","3.6.0b2","3.6.0b3","3.6.0b7","3.7","3.8","3.8.1","3.8.1.dev1","3.8.2","3.8b1","3.8b2","3.9","3.9.1","4.0.0","4.0.0b15","4.0.1","4.0.2","4.1.0","4.1.1","4.1.2","4.10.0","4.11.0","4.12.0","4.13.0","4.14.0","4.15.0","4.16.0","4.17.0","4.18.0","4.19.0","4.19.1","4.19.2","4.2.0","4.20.0","4.20.1","4.21.0","4.22.0","4.23.0","4.24.0","4.25.0","4.26.0","4.27.0","4.28.0","4.28.1","4.28.2","4.28.3","4.29.0","4.3.0","4.31.0","4.31.1","4.31.2","4.31.3","4.31.4","4.31.5","4.32.0","4.32.1","4.32.2","4.33.0","4.35.0","4.36.0","4.36.1","4.37.1","4.37.2","4.38.0","4.38.1","4.39.0","4.4.0","4.4.1","4.40.0","4.41.0","4.42.0","4.43.0","4.44.0","4.44.1","4.5.0","4.7.0","4.7.1","4.8.0","4.9.0","4.9.1","5.0.0","5.0.0b1","5.0.0b10","5.0.0b5","5.0.0b6","5.0.0b7","5.0.0b8","5.0.0b9","5.0.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-prpg-p95c-32fv/GHSA-prpg-p95c-32fv.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}