CVE-2024-39236: 
Gradio vulnerability analysis and mitigation

Gradio v4.36.1 contains a code injection vulnerability in the component /gradio/component_meta.py that can be triggered via crafted input. The vulnerability was discovered and disclosed in July 2024, affecting the Gradio Python package. The vendor has disputed this vulnerability, stating that the report describes a scenario where a user is attacking themselves (NVD, GitHub Advisory).

The vulnerability exists in the create_pyi function within the component_meta.py file. The function does not properly validate input when users generate pyi files, which leads to code injection through jinja2 during rendering. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code through the create_pyi function. This could potentially lead to unauthorized code execution within the context of the application (Gradio PoC).

The vulnerability has been reported and tracked in the GitHub issue tracker, where it was marked as a blocking security issue. The vendor has disputed the vulnerability classification, arguing that the scenario described involves a user attacking themselves (Gradio Issue).