5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-12217

GHSA ID

GHSA-prpg-p95c-32fv

EPSS Score

0.18185%

CWE

CWE-22

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-12217

CVE-2024-12217:
Gradio Path Traversal vulnerability

A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-12217

GHSA ID

GHSA-prpg-p95c-32fv

EPSS Score

0.18185%

CWE

CWE-22

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gradio	pip

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path equivalence handling (CWE-41) in path validation logic. The GitHub advisory specifically references lines 1061-1074 in gradio/utils.py as the vulnerable code section. These lines correspond to the path validation implementation that checks blocked paths but doesn't strip ADS syntax before validation. The function likely uses basic path resolution that preserves ADS markers, allowing bypass of restrictions through path equivalence attacks using Windows NTFS features.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in t** *r**io-*pp/*r**io r*pository, v*rsion *it *******, *llows *or p*t* tr*v*rs*l on Win*ows OS. T** impl*m*nt*tion o* t** *lo*k**_p*t* *un*tion*lity, w*i** is int*n*** to *is*llow us*rs *rom r***in* **rt*in *il*s, is *l*w**. Sp**i*

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* *quiv*l*n** **n*lin* (*W*-**) in p*t* v*li**tion lo*i*. T** *it*u* **visory sp**i*i**lly r***r*n**s lin*s ****-**** in `*r**io/utils.py` *s t** vuln*r**l* *o** s**tion. T**s* lin*s *orr*spon* to t** p*t* v*l

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-12217: Gradio Path Traversal vulnerability

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-12217:
Gradio Path Traversal vulnerability

Vulnerability Intelligence
Miggo AI