VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 14, 2025· Updated Feb 12, 2025

Gradio Blocked Path ACL Bypass Vulnerability

CVE-2025-23042

Description

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gradio's ACL for file paths can be bypassed on case-insensitive systems by altering letter case, allowing unauthorized access to blocked files.

Vulnerability

Overview

CVE-2025-23042 is a security bypass in Gradio's Access Control List (ACL) for file paths. The root cause is the lack of case normalization in the file path validation logic within the is_allowed_file function in gradio/utils.py. On case-insensitive file systems, such as those used by Windows and macOS, this flaw allows an attacker to circumvent blocked path restrictions by simply changing the letter case of a blocked file or directory path [2][3].

Exploitation

An attacker can exploit this vulnerability by sending a request that references a file path differing only in case from a path listed in blocked_paths. For example, if config.yaml is blocked, requesting Config.yaml would bypass the ACL. No authentication is required if the Gradio application exposes file access functionality. The attack surface is limited to environments running on case-insensitive file systems [3].

Impact

Successful exploitation leads to unauthorized access to sensitive files, including configuration files, user data, or credentials. This can result in data exposure and potentially broader system compromise if the leaked information contains API keys or other secrets. Given Gradio's widespread use in machine learning and AI web applications, this vulnerability poses a significant threat in production environments [2][3].

Mitigation

The issue has been addressed in Gradio release version 5.6.0. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability [2][3].

References
  1. NVD - CVE-2025-23042
  2. Gradio Blocked Path ACL Bypass Vulnerability

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gradioPyPI
< 5.11.05.11.0

Affected products

3

Patches

1
6b63fdec441b

Blocked Paths Fix (#10304)

https://github.com/gradio-app/gradioFreddy BoultonJan 8, 2025via ghsa
commit
3 files changed · +25 1
  • .changeset/afraid-rats-guess.md+5 0 added
    @@ -0,0 +1,5 @@
+---
+"gradio": minor
+---
+
+feat:Blocked Paths Fix
  • gradio/utils.py+2 1 modified
    @@ -1513,7 +1513,8 @@ def is_allowed_file(
     bool, Literal["in_blocklist", "allowed", "created", "not_created_or_allowed"]
 ]:
     in_blocklist = any(
-        is_in_or_equal(path, blocked_path) for blocked_path in blocked_paths
+        is_in_or_equal(str(path).lower(), str(blocked_path).lower())
+        for blocked_path in blocked_paths
     )
     if in_blocklist:
         return False, "in_blocklist"
  • test/test_routes.py+18 0 modified
    @@ -325,6 +325,24 @@ def test_allowed_and_blocked_paths(self):
         io.close()
         os.remove(tmp_file.name)
 
+    def test_blocked_path_case_insensitive(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            tmp_file = Path(temp_dir) / "blocked" / "test.txt"
+            tmp_file.parent.mkdir(parents=True, exist_ok=True)
+            tmp_file.touch()
+            io = gr.Interface(lambda s: s.name, gr.File(), gr.File())
+            app, _, _ = io.launch(
+                prevent_thread_lock=True,
+                allowed_paths=[temp_dir],
+                blocked_paths=[str(tmp_file.parent)],
+            )
+            client = TestClient(app)
+            file_response = client.get(
+                f"{API_PREFIX}/file={str(Path(temp_dir) / 'BLOCKED' / 'test.txt')}"
+            )
+            assert file_response.status_code == 403
+            io.close()
+
     def test_get_file_created_by_app(self, test_client):
         app, _, _ = gr.Interface(lambda s: s.name, gr.File(), gr.File()).launch(
             prevent_thread_lock=True

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.