Bounties
Partners
Community
Info
gradio-app / gradio
Project repository
Build and share delightful machine learning apps, all in Python. 🌟 Star to support our work!
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
44 DAYS
FIX
WITHIN
76 DAYS
Arbitrary File Copy & DoS via Flagging Mechanism
Apr 15th 2025
pventuzelo
•
pending
DOS via CSV logging
Apr 15th 2025
pventuzelo
•
pending
CSV injection via CSV logging functionality of Gradio
Apr 15th 2025
pventuzelo
•
pending
Gradio Blocked Path ACL Bypass Vulnerability
Feb 17th 2025
superboy-zjc
•
pending
Gradio CORS Origin Validation Bypass Vulnerability
Feb 16th 2025
superboy-zjc
•
pending
blocked_path implementation flawded on windows OS, lead to blocked file read.
Jan 8th 2025
oicu0619
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-12217
CVE-2024-12217
Denial of service while processing file uploading
Jan 7th 2025
oicu0619
•
duplicate
High
DoS by Sending Large Filename at File Upload Endpoint in
Jan 5th 2025
mnqazi
•
High
•
$750
High
•
$750
•
CVE-2025-0187
CVE-2025-0187
safe_join is flawed in windows OS, lead to path traversal
Dec 2nd 2024
oicu0619
•
informative
High
zip bomb on dataframe component, lead to server crash
Dec 28th 2024
oicu0619
•
High
•
$750
High
•
$750
•
CVE-2024-10569
CVE-2024-10569
arbitrary file content deletion with component audio
Dec 28th 2024
oicu0619
•
High
•
$750
High
•
$750
•
CVE-2024-10648
CVE-2024-10648
Local file inclusion in dropdown and other components
Oct 31st 2024
oicu0619
•
informative
High
Redos (Regular Expression Denial of Service)
Dec 25th 2024
oicu0619
•
High
•
$750
High
•
$750
•
CVE-2024-10624
CVE-2024-10624
Insufficient File Type Verification Upload Function
Oct 30th 2024
morphykutay
•
informative
Medium
FULL SSRF in gr.DownloadButton
Sep 4th 2024
aftersnows
•
duplicate
High
check_public_url bypass via DNS rebinding
Nov 29th 2024
thealtofwar
•
not applicable
DOS in multipart boundry while uploading the file
Nov 14th 2024
mnqazi
•
High
•
$750
High
•
$750
•
CVE-2024-8966
CVE-2024-8966
stored xss caused by the file parameter opening a file in different file paths i...
Sep 3rd 2024
quxaa
•
duplicate
Medium
Insecure Temporary File
Aug 15th 2024
web-hacker-team
•
not applicable
SSRF with Images components
Aug 14th 2024
nduy2110
•
duplicate
High
Open redirect by url encoding
Oct 1st 2024
govindpalakkal
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-8021
CVE-2024-8021
RCE in Multiple Github Actions
Jun 17th 2024
redyetidev
•
informative
Critical
Vulnerable pdfjs-dist imported in Gradio Guides results JavaScript Injection
Jul 22nd 2024
retr0reg
•
duplicate
High
Unsafe eval usage can lead to remote code execution
Jul 17th 2024
mookamooka
•
informative
Medium
Insecure pdf output handling leads to XSS vulnerability
Jul 22nd 2024
7resp4ss
•
not applicable
XSS Stored in ChatInterface.
May 23rd 2024
m3dium
•
not applicable
Stored XSS via upload image feature
May 15th 2024
hetroublemaker
•
duplicate
High
Improper Input Validation Leads to Code Injection Vulnerability
May 13th 2024
synfinack
•
spam
Unsafe Jinja2 Template Creation Increases Risk of Cross-Site Scripting (XSS) Vul...
May 13th 2024
synfinack
•
spam
Open Redirect: Unsanitized input from the request URL flows into fastapi.respons...
May 13th 2024
synfinack
•
not applicable
Path Traversal: Unsanitized input from an environment variable flows into open
May 15th 2024
synfinack
•
not applicable
Disabling SSL Verification in HTTP Requests: Potential Security Risk
May 15th 2024
synfinack
•
spam
Open redirect
Jun 22nd 2024
d47secc
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-4940
CVE-2024-4940
SSRF to access internal network
Apr 30th 2024
d47secc
•
self closed
SSRF allow gradio app to proxy arbitrary URLs
Apr 21st 2024
qhaoduoyu
•
duplicate
High
[gradio-app/gradio] Secrets exfiltration via the [deploy-website.yml] workflow
Jun 10th 2024
nikitastupin
•
informative
High
•
CVE-2024-4254
CVE-2024-4254
Secrets exfiltration via the [test-functional.yml] workflow
Jun 10th 2024
h2oa
•
informative
High
•
CVE-2024-4253
CVE-2024-4253
Stored XSS via file upload
May 15th 2024
nhienit2010
•
not applicable
SSRF access internal network
May 26th 2024
nhienit2010
•
duplicate
Critical
LFI in JSON component
May 30th 2024
ozelis
•
High
•
$750
High
•
$750
•
CVE-2024-4941
CVE-2024-4941
Secrets exfiltration via Github action workflow
Apr 8th 2024
codevigilanteofficial
•
informative
High
Improper sanitization for chatbot messages and responses
May 13th 2024
acciobugs
•
not applicable
Stored XSS due to upload SVG file
Mar 25th 2024
h2oa
•
duplicate
High
Lack of protection against brute force
Mar 25th 2024
h2oa
•
duplicate
Medium
GET-Based Open Redirect
Mar 25th 2024
h2oa
•
duplicate
Medium
Server-Side Request Forgery SSRF
Apr 29th 2024
mvlttt
•
High
•
$750
High
•
$750
•
CVE-2024-4325
CVE-2024-4325
No CSRF Protection on Oauth Login Callback
Feb 28th 2024
rook1337
•
self closed
Improper Validation of "?_target_url" parameter leads to open redirect at Oauth
Feb 27th 2024
rook1337
•
not applicable
No rate limiting on Gradio authentication
Feb 27th 2024
rook1337
•
informative
Medium
Arbitrary file reading caused by path traversal
Apr 11th 2024
7resp4ss
•
duplicate
Critical
stored xss via svg file upload
Feb 21st 2024
ranjit-git
•
informative
Critical
timing attack to guess the password
Mar 29th 2024
ranjit-git
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-1729
CVE-2024-1729
Local File Inclusion
Apr 4th 2024
pinkdraconian
•
High
•
$750
High
•
$750
•
CVE-2024-1728
CVE-2024-1728
[gradio-app/gradio] Secrets exfiltration via the [deploy+test-visual.yml] workfl...
Mar 27th 2024
nikitastupin
•
High
•
$750
High
•
$750
•
CVE-2024-1540
CVE-2024-1540
CSRF allows attacker to upload many large files to victim
Mar 21st 2024
pinkdraconian
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-1727
CVE-2024-1727
Local file read by calling arbitrary methods of Components class
Apr 16th 2024
ozelis
•
High
•
$750
High
•
$750
•
CVE-2024-1561
CVE-2024-1561
ReDos in external_utils.py #26
Jan 26th 2024
lujiefsi
•
spam
ReDoS
Jan 26th 2024
yetingli
•
spam
Arbitrary File Reading due to Lack of Input Filepath Validation
Feb 5th 2024
williwollo
•
High
•
$750
High
•
$750
•
CVE-2024-0964
CVE-2024-0964
Insecure Temporary File Handling in Gradio's File Upload API
Jan 26th 2024
williwollo
•
informative
High
Gradio chatbot vulnerable to HTML injection,Open Redirect and SSRF
Dec 15th 2023
geekysherlock
•
informative
Medium
Certificate validation is turned off for HTTPS requests
Nov 22nd 2023
dmandefy
•
informative
High
ssrf bug to scan internet network
Apr 16th 2024
ranjit-git
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-1183
CVE-2024-1183
Improper Certificate Validation
Nov 22nd 2023
binghzal
•
informative
Medium
Server-side request forgery
Feb 12th 2024
binghzal
•
informative
Critical
Source repository compromise via github actions workflow
Nov 7th 2023
arunstar
•
Critical
•
$1500
Critical
•
$1500
•
CVE-2023-6572
CVE-2023-6572
Command Injection
Nov 22nd 2023
ready-research
•
informative
Critical
Insufficient SSRF protection allow gradio app to proxy arbitrary URLs
Mar 27th 2024
vvxhid
•
High
•
$750
High
•
$750
•
CVE-2024-2206
CVE-2024-2206
Insufficient SSRF protection allow gradio app to proxy arbitrary URLs
Feb 15th 2024
vvxhid
•
informative
High
SSRF Vulnerability Found in Gradio
Feb 15th 2024
eggdkk
•
informative
Medium
Cross-site Scripting (XSS) - Reflected
Feb 15th 2024
rajbabai8
•
informative
Critical
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0