CVE-2024-10648
Published: 20 March 2025
Summary
CVE-2024-10648 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Gradio Project Gradio. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7103
Vulnerability details
A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output…
more
format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gradio
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in Gradio allows arbitrary file content deletion (emptying files), enabling exploitation of public-facing web apps (T1190), file deletion for evasion (T1070.004), data destruction (T1485), endpoint DoS via app exploitation (T1499.004), and disk content wiping (T1561.001).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.