CVE-2024-0964: 
Gradio vulnerability analysis and mitigation

A local file include vulnerability (CVE-2024-0964) was discovered in Gradio that could be remotely triggered through a vulnerable user-supplied JSON value in an API request. The vulnerability was disclosed on February 5, 2024, affecting the Gradio Python package (NVD, CVE).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'). According to the National Vulnerability Database, it received a CVSS v3.1 base score of 9.4 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L, while huntr.dev assessed it with a CVSS v3.0 score of 7.5 (High) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows remote attackers to include local files through the API request mechanism, potentially leading to unauthorized access to sensitive files on the system running Gradio. The high CVSS scores indicate significant potential impact on confidentiality and integrity of the affected system (NVD).

A patch has been released to address this vulnerability, which can be found in the Gradio repository. Users are advised to update to the patched version of Gradio (Github Patch).