Gradio Allows Unauthorized File Copy via Path Manipulation

An arbitrary file copy vulnerability exists in the flagging feature of Gradio, an open-source Python package for building machine learning demos and web applications. Prior to version 5.31.0, the feature does not properly validate file paths provided by users, allowing an attacker to specify arbitrary paths on the server's filesystem for copying. This flaw stems from insufficient input sanitization in the code handling file operations during the flagging process [2][3].

The attack surface is accessible to any unauthenticated attacker who can interact with a Gradio instance's API or web interface. No special privileges or network position are required—the attacker only needs to craft a request that includes a path to a target file (e.g., /dev/urandom) and trigger the flagging action. The vulnerability does not require any user interaction, as the attacker can send the malicious request directly to the server [2][3].

While the attacker cannot read the content of the copied files, the impact is a denial of service (DoS) through disk space exhaustion. By repeatedly copying large files (such as /dev/urandom, which generates an unending stream of data), the attacker can fill the server's storage, potentially causing the application or even the entire system to become unresponsive. This availability impact is considered severe because it can be triggered with minimal effort and without authentication [2][3].

The vulnerability has been patched in Gradio version 5.31.0. Users are strongly advised to upgrade to this or a later release to mitigate the risk. There are no known public exploit codes at the time of disclosure, but the issue is trivial to exploit, and upgrading is the recommended remediation [2][3].