Arbitrary file read with File and UploadButton components in Gradio

Vulnerability

CVE-2024-51751 is a path traversal-like vulnerability in Gradio, the open-source Python framework for building machine learning demos and web applications [1][2]. When an application uses File or UploadButton components to preview uploaded file content, an attacker can read arbitrary files from the server's filesystem. The root cause is insufficient validation in the processing_utils.async_move_files_to_cache function. Gradio relies on the client_utils.is_file_obj_with_meta filter to traverse and sanitize incoming file paths, but this filter only operates on objects that include a "meta" key with {"_type": "gradio.FileData"} [3].

Exploitation

An attacker with access to a Gradio application that exposes File or UploadButton components can craft a direct API request to the /gradio_api/run/predict endpoint. By sending a JSON payload containing a FileData object that specifies the path of a sensitive file on the server (e.g., /etc/passwd) and deliberately omitting the "meta" field, the is_file_obj_with_meta filter returns False. This causes Gradio to skip the sanitization step and directly process the attacker-supplied path, reading and returning its contents in the response [3]. No authentication is required beyond network access to the application.

Impact

Successful exploitation allows an attacker to read arbitrary files from the application server, including sensitive configuration files, source code, or credentials. The vulnerability does not require a valid file upload from a user session; a single crafted curl request suffices. The advisory states that no workarounds exist beyond upgrading [2].

Mitigation

The fix is included in Gradio version 5.5.0 [2][3]. All users running an earlier version who use File or UploadButton components should upgrade immediately. Since there are no known workarounds, updating is the only remediation.