CVE-2024-51751 – This vulnerability in Gradio allows attackers w... (How to Fix)

Q: What is the severity of CVE-2024-51751?

CVE-2024-51751 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Gradio allows attackers with access to the application to read arbitrary files from the server when using File or UploadButton components for file preview. All Gradio applications using these components in vulnerable versions are affected. The issue enables server-side file disclosure without proper access controls.

📋 TL;DR

This vulnerability in Gradio allows attackers with access to the application to read arbitrary files from the server when using File or UploadButton components for file preview. All Gradio applications using these components in vulnerable versions are affected. The issue enables server-side file disclosure without proper access controls.

💻 Affected Systems

Products:

gradio

Versions: All versions before 5.5.0

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using File or UploadButton components with file preview functionality enabled.

📦 What is this software?

Gradio by Gradio Project

View all CVEs affecting Gradio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system compromise including sensitive configuration files, credentials, and application source code disclosure.

🟠

Likely Case

Unauthorized access to application configuration files, environment variables, and sensitive user data stored on the server.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal sensitive files accessible to the application user.

🌐 Internet-Facing: HIGH - Internet-facing Gradio applications are directly exposed to potential exploitation by any attacker.

🏢 Internal Only: MEDIUM - Internal applications still pose risk from insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the Gradio application interface but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.0

Vendor Advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248

Restart Required: Yes

Instructions:

1. Check current Gradio version: pip show gradio
2. Upgrade to version 5.5.0 or later: pip install --upgrade gradio>=5.5.0
3. Restart all Gradio applications and services

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Disable or remove File and UploadButton components from Gradio applications
Implement strict network access controls to limit who can access Gradio applications

🔍 How to Verify

Check if Vulnerable:

Check if Gradio version is below 5.5.0 and application uses File or UploadButton components

Check Version:

python -c "import gradio; print(gradio.__version__)"

Verify Fix Applied:

Verify Gradio version is 5.5.0 or higher and test file upload functionality

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns through Gradio endpoints
Multiple failed file access attempts to sensitive paths

Network Indicators:

Unusual file path patterns in HTTP requests to Gradio endpoints
Requests attempting directory traversal patterns

SIEM Query:

source="gradio" AND (path="*../*" OR path="*..\\*" OR path="*/etc/*" OR path="*/proc/*")

📊 Metadata

CVE ID: CVE-2024-51751

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: November 6, 2024

Last Updated: August 26, 2025

🔗 References

https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51751, you might also want to check these: