If you discover a security vulnerability, we would be very grateful if you could email us at gradio-team@huggingface.co. This is the preferred approach instead of opening a public issue. We take all vulnerability reports seriously, and will work to patch the vulnerability immediately. Whenever possible, we will credit the person or people who report the security vulnerabilities after it has been patched.
Security: gradio-app/gradio
Security
SECURITY.md
-
Arbitrary file read with File and UploadButton componentsGHSA-rhm9-gp5p-5248 published
Nov 6, 2024 by freddyaboultonModerate -
Lack of integrity check on the downloaded FRP clientGHSA-8c87-gvhj-xm8m published
Oct 10, 2024 by abidlabsLow -
Several components’ post-process steps may allow arbitrary file leaksGHSA-4q3c-cj7g-jcwf published
Oct 10, 2024 by abidlabsHigh -
Dropdown component pre-process step does not limit the values to those in the dropdown listGHSA-26jh-r8g2-6fpr published
Oct 10, 2024 by abidlabsLow -
Non-constant-time comparison when comparing hashesGHSA-j757-pf57-f8r4 published
Oct 10, 2024 by abidlabsLow -
Race condition in update_root_in_config may redirect user trafficGHSA-xh2x-3mrm-fwqm published
Oct 10, 2024 by abidlabsHigh -
Insecure communication between the FRP client and serverGHSA-279j-x4gx-hfrh published
Oct 10, 2024 by abidlabsHigh -
XSS on every Gradio server via upload of HTML files, JS files, or SVG filesGHSA-gvv6-33j7-884g published
Oct 10, 2024 by abidlabsHigh -
One-level read path traversal in `/custom_component`GHSA-37qc-qgx6-9xjv published
Oct 10, 2024 by abidlabsLow -
The `enable_monitoring` flag set to `False` does not disable monitoringGHSA-hm3c-93pg-4cxw published
Oct 10, 2024 by abidlabsLow
Learn more about advisories related to gradio-app/gradio in the GitHub Advisory Database