CVE-2024-4941 Overview
CVE-2024-4941 is a local file inclusion (LFI) vulnerability in the JSON component of gradio-app/gradio version 4.25. The flaw resides in the postprocess() function within gradio/components/json_component.py, where user-controlled input is parsed as JSON without sufficient validation. When the parsed JSON contains a path key, the referenced file is copied to a temporary directory and becomes retrievable via the /file=.. endpoint. Attackers can leverage this behavior to read arbitrary files from the server hosting the Gradio application. The vulnerability is tracked under [CWE-22] (Path Traversal).
Critical Impact
Unauthenticated remote attackers can read arbitrary files from systems running vulnerable Gradio deployments, exposing source code, credentials, and configuration data.
Affected Products
- gradio-app/gradio version 4.25 (Python package)
- Applications built on Gradio that expose the JSON component
- Hosted Gradio interfaces accessible over the network
Discovery Timeline
- 2024-06-06 - CVE-2024-4941 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2024-4941
Vulnerability Analysis
The vulnerability stems from improper input validation in Gradio's JSON component. The postprocess() function accepts a user-controlled string and parses it directly as JSON. The resulting object is then passed to processing_utils.move_files_to_cache(), which recursively traverses any object looking for dictionaries containing a path key.
When a path value is found, the function copies the referenced file to a temporary cache directory managed by Gradio. That cached file is later accessible through the /file=.. HTTP endpoint, which serves cached resources to clients. Combining these two behaviors gives an attacker a primitive to exfiltrate arbitrary files readable by the Gradio process.
Because attacks require no authentication and no user interaction, any internet-facing Gradio 4.25 instance exposing the JSON component is reachable from the network.
Root Cause
The root cause is the lack of a type and source check on JSON objects produced by postprocess(). Gradio's caching layer treats any dictionary with a path field as a server-side file reference, regardless of whether the data originated from trusted internal code or untrusted user input. The patch introduces a dedicated JsonData wrapper class so the caching layer can distinguish trusted JSON payloads from user-supplied ones.
Attack Vector
An attacker sends a crafted JSON payload to the vulnerable Gradio endpoint with a path key pointing to a sensitive file such as /etc/passwd, application source code, or environment configuration. Gradio copies the file to its cache directory, then the attacker retrieves it through the /file=.. endpoint.
# Security patch (gradio/components/base.py)
from gradio import utils
from gradio.blocks import Block, BlockContext
from gradio.component_meta import ComponentMeta
-from gradio.data_classes import GradioDataModel
+from gradio.data_classes import GradioDataModel, JsonData
from gradio.events import EventListener
from gradio.layouts import Form
from gradio.processing_utils import move_files_to_cache
# Security patch (gradio/components/json_component.py)
from gradio_client.documentation import document
from gradio.components.base import Component
+from gradio.data_classes import JsonData
from gradio.events import Events
Source: Gradio Commit ee1e2942. The fix introduces the JsonData class so move_files_to_cache() no longer treats arbitrary JSON dictionaries as file references during JSON component postprocessing.
Detection Methods for CVE-2024-4941
Indicators of Compromise
- HTTP requests to Gradio endpoints containing JSON payloads with a path key referencing local files such as /etc/passwd, ~/.aws/credentials, or application source paths.
- Unexpected GET requests to the /file=.. endpoint, especially with traversal sequences or references to files outside the application working directory.
- New files appearing in Gradio's temporary cache directory that match sensitive system paths.
Detection Strategies
- Inspect web server and reverse proxy logs for /file= requests targeting files outside the Gradio working directory.
- Monitor application logs for JSON deserialization activity in gradio/components/json_component.py followed by file access in processing_utils.move_files_to_cache().
- Apply web application firewall rules that flag inbound JSON bodies containing path keys with absolute filesystem paths.
Monitoring Recommendations
- Track outbound responses from Gradio /file= endpoints for content matching sensitive file signatures such as root:x:0:0 or private key headers.
- Alert on access to Gradio's temporary cache directory by processes other than the Gradio service.
- Audit deployed Python package versions and flag any host running gradio 4.25 or earlier in the 4.x branch.
How to Mitigate CVE-2024-4941
Immediate Actions Required
- Upgrade Gradio to a version that includes commit ee1e2942e0a1ae84a08a05464e41c8108a03fa9c or later, which introduces the JsonData wrapper and removes the unsafe path traversal behavior.
- Restrict network exposure of Gradio interfaces by placing them behind authenticated reverse proxies or VPNs until patched.
- Audit Gradio cache directories for files that should not have been exposed and rotate any credentials that may have been disclosed.
Patch Information
The vendor fix is available in the upstream repository. See the Gradio security commit and the Huntr bug bounty report for technical details. Update the gradio Python package using your package manager to a version newer than 4.25.
Workarounds
- Remove or disable JSON components from Gradio applications until the package is upgraded.
- Block requests to the /file= endpoint at the reverse proxy layer when not required by the application.
- Run the Gradio process under a low-privilege account with filesystem access limited to required application directories only.
# Upgrade Gradio to a patched version
pip install --upgrade 'gradio>4.25'
# Verify the installed version
python -c "import gradio; print(gradio.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
