{"url":"http://public2.vulnerablecode.io/api/packages/84499?format=json","purl":"pkg:pypi/gradio@5.0.0b2","type":"pypi","namespace":"","name":"gradio","version":"5.0.0b2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.7.0","latest_non_vulnerable_version":"6.7.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56897?format=json","vulnerability_id":"VCID-gg9e-fpxd-quh6","summary":"Gradio Vulnerable to Arbitrary File Deletion\nA path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10648","reference_id":"","reference_type":"","scores":[{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.49057","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.49023","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.49047","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.4901","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.4904","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10648"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/blame/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/processing_utils.py#L234","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/blame/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/processing_utils.py#L234"},{"reference_url":"https://huntr.com/bounties/667d664d-8189-458c-8ed7-483fe8f33c76","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T14:21:27Z/"}],"url":"https://huntr.com/bounties/667d664d-8189-458c-8ed7-483fe8f33c76"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10648","reference_id":"CVE-2024-10648","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10648"},{"reference_url":"https://github.com/advisories/GHSA-pgfv-gvc5-prfg","reference_id":"GHSA-pgfv-gvc5-prfg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pgfv-gvc5-prfg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43690?format=json","purl":"pkg:pypi/gradio@5.0.0b5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueu-3u8x-pkfs"},{"vulnerability":"VCID-3w2j-55q7-t7by"},{"vulnerability":"VCID-4y28-s547-c3d3"},{"vulnerability":"VCID-5c6u-kz54-a7ee"},{"vulnerability":"VCID-aajd-8tqx-c3bn"},{"vulnerability":"VCID-b15z-tjeb-gyeh"},{"vulnerability":"VCID-bmqt-uegd-hyap"},{"vulnerability":"VCID-dsw8-wy3z-53hm"},{"vulnerability":"VCID-ejg7-khk7-9qf3"},{"vulnerability":"VCID-h9ep-6qj7-pued"},{"vulnerability":"VCID-j1w9-nvdf-nfbr"},{"vulnerability":"VCID-mk15-qxqc-vfab"},{"vulnerability":"VCID-u9tt-44vk-nyhg"},{"vulnerability":"VCID-uew9-38g7-bqft"},{"vulnerability":"VCID-uvd9-43p8-suhm"},{"vulnerability":"VCID-vaq5-ccvf-kyg6"},{"vulnerability":"VCID-vg49-znwv-akgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0b5"}],"aliases":["CVE-2024-10648","GHSA-pgfv-gvc5-prfg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gg9e-fpxd-quh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56927?format=json","vulnerability_id":"VCID-jevg-ta5g-u7gt","summary":"Gradio Vulnerable to Denial of Service (DoS) via Crafted Zip Bomb\nA vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. The component uses pd.read_csv to process input values, which can accept compressed files. An attacker can exploit this by uploading a maliciously crafted zip bomb, leading to a server crash and causing a denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10569","reference_id":"","reference_type":"","scores":[{"value":"0.00324","scoring_system":"epss","scoring_elements":"0.55784","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.65189","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.65201","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.6519","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.65178","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10569"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/blob/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/components/dataframe.py#L263","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/blob/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/components/dataframe.py#L263"},{"reference_url":"https://huntr.com/bounties/7192bcbb-08a3-4d22-a321-9c6d19dbfc74","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:53:12Z/"}],"url":"https://huntr.com/bounties/7192bcbb-08a3-4d22-a321-9c6d19dbfc74"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10569","reference_id":"CVE-2024-10569","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10569"},{"reference_url":"https://github.com/advisories/GHSA-7xmc-vhjp-qv5q","reference_id":"GHSA-7xmc-vhjp-qv5q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7xmc-vhjp-qv5q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43690?format=json","purl":"pkg:pypi/gradio@5.0.0b5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueu-3u8x-pkfs"},{"vulnerability":"VCID-3w2j-55q7-t7by"},{"vulnerability":"VCID-4y28-s547-c3d3"},{"vulnerability":"VCID-5c6u-kz54-a7ee"},{"vulnerability":"VCID-aajd-8tqx-c3bn"},{"vulnerability":"VCID-b15z-tjeb-gyeh"},{"vulnerability":"VCID-bmqt-uegd-hyap"},{"vulnerability":"VCID-dsw8-wy3z-53hm"},{"vulnerability":"VCID-ejg7-khk7-9qf3"},{"vulnerability":"VCID-h9ep-6qj7-pued"},{"vulnerability":"VCID-j1w9-nvdf-nfbr"},{"vulnerability":"VCID-mk15-qxqc-vfab"},{"vulnerability":"VCID-u9tt-44vk-nyhg"},{"vulnerability":"VCID-uew9-38g7-bqft"},{"vulnerability":"VCID-uvd9-43p8-suhm"},{"vulnerability":"VCID-vaq5-ccvf-kyg6"},{"vulnerability":"VCID-vg49-znwv-akgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0b5"}],"aliases":["CVE-2024-10569","GHSA-7xmc-vhjp-qv5q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jevg-ta5g-u7gt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56956?format=json","vulnerability_id":"VCID-khkm-yeun-3qf3","summary":"Gradio Vulnerable to Denial of Service (DoS) via Crafted HTTP Request\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\\s*now\\s*(?:-\\s*(\\d+)\\s*([dmhs]))?)?\\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10624","reference_id":"","reference_type":"","scores":[{"value":"0.00822","scoring_system":"epss","scoring_elements":"0.74818","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00822","scoring_system":"epss","scoring_elements":"0.7482","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00822","scoring_system":"epss","scoring_elements":"0.74812","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00822","scoring_system":"epss","scoring_elements":"0.74794","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00822","scoring_system":"epss","scoring_elements":"0.74809","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10624"},{"reference_url":"https://github.com/gradio-app/gradio","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio"},{"reference_url":"https://github.com/gradio-app/gradio/blob/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/components/datetime.py#L133-L136","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gradio-app/gradio/blob/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/components/datetime.py#L133-L136"},{"reference_url":"https://huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:52Z/"}],"url":"https://huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10624","reference_id":"CVE-2024-10624","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10624"},{"reference_url":"https://github.com/advisories/GHSA-rvgh-pr46-x7gg","reference_id":"GHSA-rvgh-pr46-x7gg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvgh-pr46-x7gg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43690?format=json","purl":"pkg:pypi/gradio@5.0.0b5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ueu-3u8x-pkfs"},{"vulnerability":"VCID-3w2j-55q7-t7by"},{"vulnerability":"VCID-4y28-s547-c3d3"},{"vulnerability":"VCID-5c6u-kz54-a7ee"},{"vulnerability":"VCID-aajd-8tqx-c3bn"},{"vulnerability":"VCID-b15z-tjeb-gyeh"},{"vulnerability":"VCID-bmqt-uegd-hyap"},{"vulnerability":"VCID-dsw8-wy3z-53hm"},{"vulnerability":"VCID-ejg7-khk7-9qf3"},{"vulnerability":"VCID-h9ep-6qj7-pued"},{"vulnerability":"VCID-j1w9-nvdf-nfbr"},{"vulnerability":"VCID-mk15-qxqc-vfab"},{"vulnerability":"VCID-u9tt-44vk-nyhg"},{"vulnerability":"VCID-uew9-38g7-bqft"},{"vulnerability":"VCID-uvd9-43p8-suhm"},{"vulnerability":"VCID-vaq5-ccvf-kyg6"},{"vulnerability":"VCID-vg49-znwv-akgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0b5"}],"aliases":["CVE-2024-10624","GHSA-rvgh-pr46-x7gg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-khkm-yeun-3qf3"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/gradio@5.0.0b2"}