gradio 5.43.1 vulnerabilities

Known vulnerabilities in the gradio package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Origin Validation Error gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Origin Validation Error through the `is_valid_origin` function. An attacker can manipulate the origin validation by altering the `localhost_aliases` argument. How to fix Origin Validation Error? There is no fixed version for `gradio`.	[0,)
M Path Equivalence gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Path Equivalence due to the `blocked_path()` function only blocking standard pathnames. On Windows systems, an attacker can read unauthorized files by using NTFS Alternate Data Streams syntax to bypass path restrictions. How to fix Path Equivalence? There is no fixed version for `gradio`.	[0,)
M Open Redirect gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Open Redirect. The `validate_url()` function can be forced to follow a redirect to an unintended site if the URL is passed to the `file` parameter and includes URL encoding. How to fix Open Redirect? There is no fixed version for `gradio`.	[0,)
H Undefined Behavior for Input to API gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Undefined Behavior for Input to API via the `dataframe` component. An attacker can cause a server crash and denial of service by uploading a maliciously crafted zip bomb. How to fix Undefined Behavior for Input to API? There is no fixed version for `gradio`.	[4.0.0,)
M Arbitrary Code Injection gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper check of the input, when users generate `pyi`. An attacker can execute arbitrary code by supplying crafted input. Note: This vulnerability is disputed by the maintainer because the report is about a user attacking himself. How to fix Arbitrary Code Injection? There is no fixed version for `gradio`.	[0,)
M Open Redirect gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Open Redirect via the `file` parameter. An attacker can scan and identify open ports within an internal network by discerning the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response. How to fix Open Redirect? There is no fixed version for `gradio`.	[0,)

Vulnerability

Vulnerable Version

Origin Validation Error

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Origin Validation Error through the is_valid_origin function. An attacker can manipulate the origin validation by altering the localhost_aliases argument.

How to fix Origin Validation Error?

There is no fixed version for gradio.

[0,)

Path Equivalence

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Path Equivalence due to the blocked_path() function only blocking standard pathnames. On Windows systems, an attacker can read unauthorized files by using NTFS Alternate Data Streams syntax to bypass path restrictions.

How to fix Path Equivalence?

There is no fixed version for gradio.

[0,)

Open Redirect

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Open Redirect. The validate_url() function can be forced to follow a redirect to an unintended site if the URL is passed to the file parameter and includes URL encoding.

How to fix Open Redirect?

There is no fixed version for gradio.

[0,)

Undefined Behavior for Input to API

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Undefined Behavior for Input to API via the dataframe component. An attacker can cause a server crash and denial of service by uploading a maliciously crafted zip bomb.

How to fix Undefined Behavior for Input to API?

There is no fixed version for gradio.

[4.0.0,)

Arbitrary Code Injection

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper check of the input, when users generate pyi. An attacker can execute arbitrary code by supplying crafted input.

Note:

This vulnerability is disputed by the maintainer because the report is about a user attacking himself.

How to fix Arbitrary Code Injection?

There is no fixed version for gradio.

[0,)

Open Redirect

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Open Redirect via the file parameter. An attacker can scan and identify open ports within an internal network by discerning the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.

How to fix Open Redirect?

There is no fixed version for gradio.

[0,)

gradio@5.43.1 vulnerabilities

Python library for easily interacting with trained machine learning models

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?