VYPR
Unrated severityNVD Advisory· Published Jun 4, 2024· Updated Oct 15, 2025

Command Injection in gradio-app/gradio

CVE-2024-4253

Description

A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or secrets exfiltration. The issue affects versions up to and including '@gradio/video@0.6.12'. The flaw is present in the workflow's handling of GitHub context information, where it echoes the full name of the head repository, the head branch, and the workflow reference without adequate sanitization. This could potentially lead to the exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Gradio App/Gradiollm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: unspecified

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.