We use cookies to improve your experience on our site.
AVID-2026-R1373
Description
Path Traversal in gradio-app/gradio (CVE-2024-10648)
Details
A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.
Reason for inclusion in AVID: CVE-2024-10648 describes a path traversal vulnerability in the Gradio Audio component of gradio-app/gradio, a library/framework widely used to build and deploy AI/demo apps. This is a security vulnerability affecting software commonly used in ML pipelines and AI deployments, i.e., a software supply-chain component (dependency) used to build, deploy, or run general-purpose AI systems. The vulnerability can cause file content deletion and DoS, aligning with common security/safety vulnerability categories. There is explicit CVE information and description available.
References
Affected or Relevant Artifacts
- Developer: gradio-app
- Deployer: gradio-app
- Artifact Details:
| Type | Name |
|---|---|
| System | gradio-app/gradio |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
| Base Score | 8.2 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | 🟢 Low |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-29 | CWE-29 Path Traversal: ‘..\filename’ |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry