cve/2023/CVE-2023-51449.md

### [CVE-2023-51449](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51449)
![](https://img.shields.io/static/v1?label=Product&message=gradio&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%204.11.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-22%3A%20Improper%20Limitation%20of%20a%20Pathname%20to%20a%20Restricted%20Directory%20('Path%20Traversal')&color=brighgreen)

### Description

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/google/tsunami-security-scanner-plugins
- https://github.com/nvn1729/advisories
Update CVE sources 2024-05-28 08:49 2024-05-28 08:49:17 +00:00			`### [CVE-2023-51449](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51449)`
			`![](https://img.shields.io/static/v1?label=Product&message=gradio&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%204.11.0%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-22%3A%20Improper%20Limitation%20of%20a%20Pathname%20to%20a%20Restricted%20Directory%20('Path%20Traversal')&color=brighgreen)`

			`### Description`

			Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
Update CVE sources 2024-08-07 19:02 2024-08-07 19:02:05 +00:00			`- https://github.com/google/tsunami-security-scanner-plugins`
Update CVE sources 2024-05-28 08:49 2024-05-28 08:49:17 +00:00			`- https://github.com/nvn1729/advisories`