Cyber Resilience

CVE-2024-10648

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
14 October 2025
KEV Added
Patch
CVSS Score v3 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0025 49.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10648 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Gradio Project Gradio. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output…

more

format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gradio

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1561.001 Disk Content Wipe Impact
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
Why these techniques?

Path traversal in Gradio allows arbitrary file content deletion (emptying files), enabling exploitation of public-facing web apps (T1190), file deletion for evasion (T1070.004), data destruction (T1485), endpoint DoS via app exploitation (T1499.004), and disk content wiping (T1561.001).

Affected Assets

gradio project
gradio
2024-09-18

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References