GHSA-prpg-p95c-32fv · Severity: medium · Ecosystem: pip — Gradio Path Traversal vulnerability
A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is flawed. Specifically, while the application correctly blocks access to paths like 'C:/tmp/secret.txt', it fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA'. This flaw can lead to unauthorized reading of blocked file paths.
Conclusion & alert: CVE-2024-12217 is rated Moderate Risk (40.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.32%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-28 | 0.05% | 0.32% | +0.27% |
| 2 | 2025-03-30 | 0.04% | 0.05% | +0.01% |
| 3 | 2025-03-29 | — | 0.04% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.0 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
GHSA-prpg-p95c-32fv · Severity: medium · Ecosystem: pip — Gradio Path Traversal vulnerability
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||