Vulnerability Description
Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gradio Project | Gradio | >= 5.25.2, < 5.31.0 |
Related Weaknesses (CWE)
References
- https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96gExploitThird Party Advisory
- https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96gExploitThird Party Advisory
FAQ
What is CVE-2025-48889?
CVE-2025-48889 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrar...
How severe is CVE-2025-48889?
CVE-2025-48889 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-48889?
Check the references section above for vendor advisories and patch information. Affected products include: Gradio Project Gradio.