CVE-2024-12217 MEDIUM

CVE-2024-12217: Path Traversal in gradio-app/gradio

Vendor Gradio-App
Product gradio-app/gradio
Weakness CWE-22 · Path traversal
Published March 20, 2025
Last update March 20, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated