GHSA-7xmc-vhjp-qv5q

Suggest an improvement
Source
https://github.com/advisories/GHSA-7xmc-vhjp-qv5q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-7xmc-vhjp-qv5q/GHSA-7xmc-vhjp-qv5q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7xmc-vhjp-qv5q
Aliases
  • CVE-2024-10569
Published
2025-03-20T12:32:39Z
Modified
2025-03-20T20:59:16.359127Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Gradio Vulnerable to Denial of Service (DoS) via Crafted Zip Bomb
Details

A vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. The component uses pd.read_csv to process input values, which can accept compressed files. An attacker can exploit this by uploading a maliciously crafted zip bomb, leading to a server crash and causing a denial of service.

Database specific
{
    "github_reviewed_at": "2025-03-20T20:37:28Z",
    "nvd_published_at": "2025-03-20T10:15:17Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-475"
    ],
    "severity": "HIGH"
}
References

Affected packages

PyPI / gradio

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Last affected
5.0.0b2

Affected versions

4.*
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.4.0
4.4.1
4.5.0
4.7.0
4.7.1
4.8.0
4.9.0
4.9.1
4.10.0
4.11.0
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.18.0
4.19.0
4.19.1
4.19.2
4.20.0
4.20.1
4.21.0
4.22.0
4.23.0
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0
4.28.1
4.28.2
4.28.3
4.29.0
4.31.0
4.31.1
4.31.2
4.31.3
4.31.4
4.31.5
4.32.0
4.32.1
4.32.2
4.33.0
4.35.0
4.36.0
4.36.1
4.37.1
4.37.2
4.38.0
4.38.1
4.39.0
4.40.0
4.41.0
4.42.0
4.43.0
4.44.0
4.44.1
5.*
5.0.0b1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-7xmc-vhjp-qv5q/GHSA-7xmc-vhjp-qv5q.json"