{"id":"CVE-2023-51449","summary":"Make the `/file` secure against file traversal attacks","details":"Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.","aliases":["GHSA-6qm2-wpxq-7qh2","PYSEC-2023-249"],"modified":"2026-05-18T11:54:06.672573466Z","published":"2023-12-22T20:58:36.185Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/51xxx/CVE-2023-51449.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/51xxx/CVE-2023-51449.json"},{"type":"ADVISORY","url":"https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-51449"},{"type":"FIX","url":"https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76"},{"type":"FIX","url":"https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gradio-app/gradio","events":[{"introduced":"0"},{"fixed":"160e3895805a45030a5e051f6bec2d399e354ad1"}]}],"versions":["gradio@4.10.0","@gradio/video@0.2.2","@gradio/uploadbutton@0.3.3","@gradio/upload@0.5.5","@gradio/model3d@0.4.10","@gradio/imageeditor@0.1.5","@gradio/image@0.5.2","@gradio/gallery@0.4.13","@gradio/file@0.4.2","@gradio/dataset@0.1.12","@gradio/dataframe@0.4.2","@gradio/code@0.3.2","@gradio/client@0.9.2","@gradio/chatbot@0.5.4","@gradio/button@0.2.12","@gradio/audio@0.6.2","gradio_client@0.7.3","gradio@4.9.1","@gradio/video@0.2.1","@gradio/uploadbutton@0.3.2","@gradio/upload@0.5.4","@gradio/model3d@0.4.9","@gradio/imageeditor@0.1.4","@gradio/image@0.5.1","@gradio/gallery@0.4.12","@gradio/file@0.4.1","@gradio/dataset@0.1.11","@gradio/dataframe@0.4.1","@gradio/code@0.3.1","@gradio/client@0.9.1","@gradio/chatbot@0.5.3","@gradio/button@0.2.11","@gradio/audio@0.6.1","gradio_client@0.7.2","gradio@4.9.0","@gradio/wasm@0.4.0","@gradio/video@0.2.0","@gradio/uploadbutton@0.3.1","@gradio/upload@0.5.3","@gradio/tootils@0.1.6","@gradio/textbox@0.4.6","@gradio/statustracker@0.4.2","@gradio/slider@0.2.5","@gradio/simpletextbox@0.1.5","@gradio/simpledropdown@0.1.5","@gradio/row@0.1.1","@gradio/radio@0.3.6","@gradio/preview@0.6.0","@gradio/plot@0.2.5","@gradio/number@0.3.5","@gradio/model3d@0.4.8","@gradio/markdown@0.5.0","@gradio/label@0.2.5","@gradio/json@0.1.5","@gradio/imageeditor@0.1.3","@gradio/image@0.5.0","@gradio/icons@0.3.2","@gradio/html@0.1.5","@gradio/highlightedtext@0.4.5","@gradio/gallery@0.4.11","@gradio/form@0.1.5","@gradio/file@0.4.0","@gradio/fallback@0.2.5","@gradio/dropdown@0.4.2","@gradio/dataset@0.1.10","@gradio/dataframe@0.4.0","@gradio/colorpicker@0.2.5","@gradio/code@0.3.0","@gradio/client@0.9.0","@gradio/checkboxgroup@0.3.6","@gradio/checkbox@0.2.5","@gradio/chatbot@0.5.2","@gradio/button@0.2.10","@gradio/box@0.1.5","@gradio/audio@0.6.0","@gradio/atoms@0.4.0","gradio_client@0.7.1","gradio@4.8.0","@gradio/video@0.1.9","@gradio/uploadbutton@0.3.0","@gradio/upload@0.5.2","@gradio/tootils@0.1.5","@gradio/textbox@0.4.5","@gradio/statustracker@0.4.1","@gradio/slider@0.2.4","@gradio/simpletextbox@0.1.4","@gradio/simpledropdown@0.1.4","@gradio/radio@0.3.5","@gradio/plot@0.2.4","@gradio/number@0.3.4","@gradio/model3d@0.4.7","@gradio/markdown@0.4.1","@gradio/label@0.2.4","@gradio/json@0.1.4","@gradio/imageeditor@0.1.2","@gradio/image@0.4.2","@gradio/icons@0.3.1","@gradio/html@0.1.4","@gradio/highlightedtext@0.4.4","@gradio/gallery@0.4.10","@gradio/form@0.1.4","@gradio/file@0.3.1","@gradio/fallback@0.2.4","@gradio/dropdown@0.4.1","@gradio/dataset@0.1.9","@gradio/dataframe@0.3.11","@gradio/colorpicker@0.2.4","@gradio/code@0.2.9","@gradio/checkboxgroup@0.3.5","@gradio/checkbox@0.2.4","@gradio/chatbot@0.5.1","@gradio/button@0.2.9","@gradio/box@0.1.4","@gradio/audio@0.5.5","@gradio/atoms@0.3.1","gradio@4.7.0","@gradio/preview@0.5.0","@gradio/markdown@0.4.0","@gradio/dataframe@0.3.10","@gradio/chatbot@0.5.0","gradio@4.6.0","@gradio/video@0.1.8","@gradio/uploadbutton@0.2.2","@gradio/upload@0.5.1","@gradio/preview@0.4.0","@gradio/model3d@0.4.6","@gradio/markdown@0.3.4","@gradio/imageeditor@0.1.1","@gradio/image@0.4.1","@gradio/gallery@0.4.9","@gradio/file@0.3.0","@gradio/dropdown@0.4.0","@gradio/dataset@0.1.8","@gradio/dataframe@0.3.9","@gradio/code@0.2.8","@gradio/client@0.8.2","@gradio/chatbot@0.4.8","@gradio/button@0.2.8","@gradio/audio@0.5.4","gradio@3.50.2","gradio@4.5.0","@gradio/video@0.1.7","@gradio/uploadbutton@0.2.1","@gradio/upload@0.5.0","@gradio/tootils@0.1.4","@gradio/textbox@0.4.4","@gradio/statustracker@0.4.0","@gradio/slider@0.2.3","@gradio/simpletextbox@0.1.3","@gradio/simpledropdown@0.1.3","@gradio/radio@0.3.4","@gradio/preview@0.3.0","@gradio/plot@0.2.3","@gradio/number@0.3.3","@gradio/model3d@0.4.5","@gradio/markdown@0.3.3","@gradio/label@0.2.3","@gradio/json@0.1.3","@gradio/imageeditor@0.1.0","@gradio/image@0.4.0","@gradio/icons@0.3.0","@gradio/html@0.1.3","@gradio/highlightedtext@0.4.3","@gradio/gallery@0.4.8","@gradio/form@0.1.3","@gradio/file@0.2.7","@gradio/fallback@0.2.3","@gradio/dropdown@0.3.3","@gradio/dataset@0.1.7","@gradio/dataframe@0.3.8","@gradio/colorpicker@0.2.3","@gradio/code@0.2.7","@gradio/checkboxgroup@0.3.4","@gradio/checkbox@0.2.3","@gradio/chatbot@0.4.7","@gradio/button@0.2.7","@gradio/box@0.1.3","@gradio/audio@0.5.3","@gradio/atoms@0.3.0","@gradio/imageeditor@0.0.1","gradio@4.4.1","@gradio/preview@0.2.2","gradio@4.4.0","@gradio/video@0.1.6","@gradio/uploadbutton@0.2.0","@gradio/upload@0.4.2","@gradio/tootils@0.1.3","@gradio/textbox@0.4.3","@gradio/statustracker@0.3.2","@gradio/slider@0.2.2","@gradio/simpletextbox@0.1.2","@gradio/simpledropdown@0.1.2","@gradio/radio@0.3.3","@gradio/preview@0.2.1","@gradio/plot@0.2.2","@gradio/number@0.3.2","@gradio/model3d@0.4.4","@gradio/markdown@0.3.2","@gradio/label@0.2.2","@gradio/json@0.1.2","@gradio/image@0.3.6","@gradio/icons@0.2.1","@gradio/html@0.1.2","@gradio/highlightedtext@0.4.2","@gradio/gallery@0.4.7","@gradio/form@0.1.2","@gradio/file@0.2.6","@gradio/fallback@0.2.2","@gradio/dropdown@0.3.2","@gradio/dataset@0.1.6","@gradio/dataframe@0.3.7","@gradio/colorpicker@0.2.2","@gradio/code@0.2.6","@gradio/checkboxgroup@0.3.3","@gradio/checkbox@0.2.2","@gradio/chatbot@0.4.6","@gradio/button@0.2.6","@gradio/box@0.1.2","@gradio/audio@0.5.2","@gradio/atoms@0.2.2","gradio@4.3.0","@gradio/wasm@0.3.0","@gradio/video@0.1.5","@gradio/uploadbutton@0.1.5","@gradio/upload@0.4.1","@gradio/model3d@0.4.3","@gradio/image@0.3.5","@gradio/gallery@0.4.6","@gradio/file@0.2.5","@gradio/dataset@0.1.5","@gradio/dataframe@0.3.6","@gradio/code@0.2.5","@gradio/client@0.8.1","@gradio/chatbot@0.4.5","@gradio/button@0.2.5","@gradio/audio@0.5.1","gradio@4.2.0","@gradio/video@0.1.4","@gradio/uploadbutton@0.1.4","@gradio/upload@0.4.0","@gradio/textbox@0.4.2","@gradio/model3d@0.4.2","@gradio/image@0.3.4","@gradio/gallery@0.4.5","@gradio/file@0.2.4","@gradio/dataset@0.1.4","@gradio/dataframe@0.3.5","@gradio/code@0.2.4","@gradio/client@0.8.0","@gradio/chatbot@0.4.4","@gradio/button@0.2.4","@gradio/audio@0.5.0","gradio@4.1.2","@gradio/video@0.1.3","@gradio/uploadbutton@0.1.3","@gradio/upload@0.3.3","@gradio/tootils@0.1.2","@gradio/textbox@0.4.1","@gradio/statustracker@0.3.1","@gradio/slider@0.2.1","@gradio/simpletextbox@0.1.1","@gradio/simpledropdown@0.1.1","@gradio/radio@0.3.2","@gradio/plot@0.2.1","@gradio/number@0.3.1","@gradio/model3d@0.4.1","@gradio/markdown@0.3.1","@gradio/label@0.2.1","@gradio/json@0.1.1","@gradio/image@0.3.3","@gradio/html@0.1.1","@gradio/highlightedtext@0.4.1","@gradio/gallery@0.4.4","@gradio/form@0.1.1","@gradio/file@0.2.3","@gradio/fallback@0.2.1","@gradio/dropdown@0.3.1","@gradio/dataset@0.1.3","@gradio/dataframe@0.3.4","@gradio/colorpicker@0.2.1","@gradio/code@0.2.3","@gradio/client@0.7.2","@gradio/checkboxgroup@0.3.2","@gradio/checkbox@0.2.1","@gradio/chatbot@0.4.3","@gradio/button@0.2.3","@gradio/box@0.1.1","@gradio/audio@0.4.3","@gradio/atoms@0.2.1","gradio@4.1.1","@gradio/gallery@0.4.3","@gradio/dataframe@0.3.3","gradio@4.1.0","@gradio/video@0.1.2","@gradio/uploadbutton@0.1.2","@gradio/upload@0.3.2","@gradio/tootils@0.1.1","@gradio/radio@0.3.1","@gradio/preview@0.2.0","@gradio/model3d@0.4.0","@gradio/image@0.3.2","@gradio/gallery@0.4.2","@gradio/file@0.2.2","@gradio/dataset@0.1.2","@gradio/dataframe@0.3.2","@gradio/code@0.2.2","@gradio/checkboxgroup@0.3.1","@gradio/chatbot@0.4.2","@gradio/button@0.2.2","@gradio/audio@0.4.2","gradio@4.0.2","@gradio/preview@0.1.1","gradio@4.0.1","@gradio/video@0.1.1","@gradio/uploadbutton@0.1.1","@gradio/upload@0.3.1","@gradio/model3d@0.3.1","@gradio/image@0.3.1","@gradio/gallery@0.4.1","@gradio/file@0.2.1","@gradio/dataset@0.1.1","@gradio/dataframe@0.3.1","@gradio/code@0.2.1","@gradio/client@0.7.1","@gradio/chatbot@0.4.1","@gradio/button@0.2.1","@gradio/audio@0.4.1","gradio_client@0.7.0","gradio@4.0.0","@gradio/wasm@0.2.0","@gradio/video@0.1.0","@gradio/utils@0.2.0","@gradio/uploadbutton@0.1.0","@gradio/upload@0.3.0","@gradio/tootils@0.1.0","@gradio/tooltip@0.1.0","@gradio/theme@0.2.0","@gradio/textbox@0.4.0","@gradio/tabs@0.1.0","@gradio/tabitem@0.1.0","@gradio/statustracker@0.3.0","@gradio/state@0.1.0","@gradio/slider@0.2.0","@gradio/simpletextbox@0.1.0","@gradio/simpledropdown@0.1.0","@gradio/row@0.1.0","@gradio/radio@0.3.0","@gradio/preview@0.1.0","@gradio/plot@0.2.0","@gradio/number@0.3.0","@gradio/model3d@0.3.0","@gradio/markdown@0.3.0","@gradio/label@0.2.0","@gradio/json@0.1.0","@gradio/image@0.3.0","@gradio/icons@0.2.0","@gradio/html@0.1.0","@gradio/highlightedtext@0.4.0","@gradio/group@0.1.0","@gradio/gallery@0.4.0","@gradio/form@0.1.0","@gradio/file@0.2.0","@gradio/fallback@0.2.0","@gradio/dropdown@0.3.0","@gradio/dataset@0.1.0","@gradio/dataframe@0.3.0","@gradio/column@0.1.0","@gradio/colorpicker@0.2.0","@gradio/code@0.2.0","@gradio/client@0.7.0","@gradio/checkboxgroup@0.3.0","@gradio/checkbox@0.2.0","@gradio/chatbot@0.4.0","@gradio/button@0.2.0","@gradio/box@0.1.0","@gradio/audio@0.4.0","@gradio/atoms@0.2.0","gradio_client@0.7.0-beta.2","gradio@4.0.0-beta.15","@gradio/wasm@0.2.0-beta.2","@gradio/video@0.1.0-beta.9","@gradio/utils@0.2.0-beta.6","@gradio/uploadbutton@0.1.0-beta.7","@gradio/upload@0.3.0-beta.6","@gradio/tootils@0.1.0-beta.7","@gradio/tooltip@0.1.0-beta.2","@gradio/theme@0.2.0-beta.2","@gradio/textbox@0.4.0-beta.8","@gradio/tabs@0.1.0-beta.8","@gradio/tabitem@0.1.0-beta.8","@gradio/statustracker@0.3.0-beta.8","@gradio/state@0.1.0-beta.2","@gradio/slider@0.2.0-beta.8","@gradio/simpletextbox@0.1.0-beta.2","@gradio/simpledropdown@0.1.0-beta.3","@gradio/row@0.1.0-beta.2","@gradio/radio@0.3.0-beta.8","@gradio/preview@0.1.0-beta.8","@gradio/plot@0.2.0-beta.8","@gradio/number@0.3.0-beta.8","@gradio/model3d@0.3.0-beta.8","@gradio/markdown@0.3.0-beta.8","@gradio/label@0.2.0-beta.8","@gradio/json@0.1.0-beta.8","@gradio/image@0.3.0-beta.9","@gradio/icons@0.2.0-beta.3","@gradio/html@0.1.0-beta.8","@gradio/highlightedtext@0.4.0-beta.8","@gradio/group@0.1.0-beta.2","@gradio/gallery@0.4.0-beta.9","@gradio/form@0.1.0-beta.7","@gradio/file@0.2.0-beta.8","@gradio/fallback@0.2.0-beta.8","@gradio/dropdown@0.3.0-beta.8","@gradio/dataset@0.1.0-beta.2","@gradio/dataframe@0.3.0-beta.8","@gradio/column@0.1.0-beta.3","@gradio/colorpicker@0.2.0-beta.8","@gradio/code@0.2.0-beta.8","@gradio/client@0.7.0-beta.1","@gradio/checkboxgroup@0.3.0-beta.8","@gradio/checkbox@0.2.0-beta.8","@gradio/chatbot@0.4.0-beta.9","@gradio/button@0.2.0-beta.7","@gradio/box@0.1.0-beta.7","@gradio/audio@0.4.0-beta.9","@gradio/atoms@0.2.0-beta.6","@gradio/lite@0.4.3","gradio@3.50.1","@gradio/lite@0.4.2","gradio@3.50.0","@gradio/lite@0.4.1","@gradio/lite@0.4.0","gradio@3.49.0","@gradio/client@0.6.0","gradio_client@0.6.1","gradio@3.48.0","@gradio/lite@0.3.2","@gradio/client@0.5.2","gradio@3.47.1","@gradio/client@0.5.1","gradio_client@0.6.0","gradio@3.47.0","@gradio/client@0.5.0","gradio@3.46.1","@gradio/client@0.4.2","gradio@3.46.0","gradio_client@0.5.3","gradio@3.45.2","@gradio/client@0.4.1","gradio@3.45.1","gradio_client@0.5.2","gradio@3.45.0","@gradio/client@0.4.0","gradio_client@0.5.1","gradio@3.44.4","gradio@3.44.3","gradio@3.44.2","gradio@3.44.1","gradio@3.44.0","gradio@3.43.2","gradio@3.43.1","gradio@3.43.0","@gradio/client@0.3.1","gradio@3.42.0","@gradio/client@0.3.0","gradio@3.41.2","gradio@3.41.1","v3.41.0","gradio_client@0.5.0","gradio@3.41.0","@gradio/lite@0.3.1","@gradio/client@0.2.1","v3.40.1","v3.40.0","v3.39.0","v3.38.0","v3.37.0","v3.36.1","v3.36.0","v3.35.2","v3.35.1","v3.35.0","v3.34.0","v3.33.1","v3.33.0","v3.32.0","v3.31.0","v3.30.0","v3.29.0","v3.28.4b0","v3.28.3","v3.28.2","v3.28.1","v3.28.0","v3.27.0","v3.26.0","v3.25.1b2","v3.25.1b1","v3.25.0","v3.24.1","v3.24.0","v3.23.1b3","v3.23.1b2","v3.23.1b1","v3.23.0","v3.22.1b1","v3.22.1","v3.22.0","v3.21.0","v3.20.1","v3.20.0","v3.20.0b2","v3.19.1","v3.19.0","v3.18.1b7","v3.18.1b6","v3.18.1b5","v3.18.1b4","v3.18.1b3","v3.18.1b2","v3.18.1b1","v3.18.0","v3.17.1b2","v3.17.1b1","v3.17.1","v3.17.0","v3.16.2","v3.16.1b1","v3.16.1","v3.0.1b300","v3.16.0","v3.15.0","v3.14.0a1","v3.14.0","v3.12.0b7","v3.13.2","v3.13.1b2","v3.13.1b1","v3.13.1b0","v3.13.1","v3.13.0b1","v3.13.0","v3.12.0b6","v3.12.0b3","v3.12.0b2","v3.12.0b1","v3.12.0","v3.11.0","v3.10.1","v3.10.0","v3.9.1","v3.9","v3.8.2","v3.8.1dev1","v3.8.1","v3.8b2","v3.8b1","v3.8","v3.6.0b7","v3.7","v3.6.0b10","v3.6.0b3","v3.6.0b2","v3.6.0b1","v3.6","v3.0.1b150","v3.5","v3.0.1b123","v3.0.1b121","v3.0.1b120","v3.4.1","v3.4b5","v3.4b2","v3.4","v3.4b3","v3.4b1","v3.4b0","v3.3.1","v3.3b1","v3.3.b0","v3.3","v3.2.1b2","v3.2.1b1","v3.2.1b0","v3.2","v3.1.8b","v3.1.7","v3.1.6","v3.1.5","v3.1.4b3","v3.1.4b2","v3.1.4b1","v3.1.4","v3.1.4b","v3.1.3","v3.1.3a3","v3.1.3a2","v3.1.3a","v3.1.1","v3.1.0","v3.0.26","v3.0.25","v3.0","v2.9.0","v2.8.1","v2.7.5","v2.7.1","v2.6.0","v2.4.0","v2.3.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-51449.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}