-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper path validation in API request handling. The commit diff shows significant changes to event processing in queueing.py and client.py, particularly around session handling and data submission. The send_data function in client.py was modified to implement proper session validation, indicating it previously accepted untrusted input. The Queue.push method's interaction with session hashes and event IDs in the vulnerable versions lacked path sanitization, allowing LFI through crafted JSON payloads. The CWE-22 classification and patch focus on SSE protocol handling confirm these as the entry points for path traversal attacks.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| gradio | pip | < 4.9.0 | 4.9.0 |