CVE-2024-10648 — Gradio Vulnerable to Arbitrary File Deletion

Description

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.

How to fix CVE-2024-10648

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-10648 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.0, <= 5.0.0b2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-10648
PATCHgithub.com/gradio-app/gradio
WEBgithub.com/gradio-app/gradio/blame/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/processing_utils.py#L234
WEBhuntr.com/bounties/667d664d-8189-458c-8ed7-483fe8f33c76