CVE Tools
Sign in

CVE-2025-23042

Gradio Blocked Path ACL Bypass Vulnerability

Published: Jan 14, 2025Updated: Aug 26, 2025 Sources: CVE List NVD GHSACWE-285
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.8%
Top 47.1%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-285

Affected Products

gradiogradio-app
Library
AI / ML / notebook-mlops
gradioPyPIOSS Libraries
gradiogradio project
Library
AI / ML / notebook-mlops
gradio-apposs-projectAI / MLaka gradio-app/gradio
pypipackage-ecosystemOSS Libraries
gradio projectoss-projectAI / MLaka gradio

Exploitability

Official Patch Available
Workaround Available

References

https://github.com/gradio-app/gradio/security/advisories/GHSA-j2jg-fq62-7c3h
github.com
https://nvd.nist.gov/vuln/detail/CVE-2025-23042
nvd.nist.gov
https://github.com/gradio-app/gradio/commit/6b63fdec441b5c9bf910f910a2505d8defbb6bf8
github.com
and 3 more references View all →

Timeline

Published
Jan 14, 2025
Last Updated
Aug 26, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-23042 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows