CVE-2025-48889 | THREATINT

Description

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.

PUBLISHED Reserved 2025-05-27 | Published 2025-05-30 | Updated 2025-05-30 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

Product status

< 5.31.0

affected

References

github.com/...gradio/security/advisories/GHSA-8jw3-6x8j-v96g exploit

github.com/...gradio/security/advisories/GHSA-8jw3-6x8j-v96g

cve.org (CVE-2025-48889)

nvd.nist.gov (CVE-2025-48889)

Download JSON