CVE-2025-48889
Published: 30 May 2025
Summary
CVE-2025-48889 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gradio Project Gradio. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
Deeper analysis
Gradio is an open-source Python package used to build demos and web interfaces for machine learning models and arbitrary Python functions. Prior to version 5.31.0, its flagging feature contained an arbitrary file copy vulnerability that permits copying of any readable file from the server filesystem, tracked as CWE-434 and assigned a CVSS 5.3 rating reflecting network-accessible impact limited to availability.
Unauthenticated remote attackers can trigger the flaw to duplicate files such as /dev/urandom onto the server, exhausting disk space and producing a denial-of-service condition without the ability to read the copied content.
The referenced GitHub Security Advisory GHSA-8jw3-6x8j-v96g states that the issue is resolved in Gradio 5.31.0.
The associated EPSS score remains low and unchanged at 0.0147 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16432
Vulnerability details
Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated…
more
attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gradio, machine learning
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-48889 allows unauthenticated remote exploitation of a public-facing Gradio web application (T1190) via path manipulation in the flagging feature to copy arbitrary readable files, facilitating OS resource exhaustion (T1499.001) through disk space exhaustion by copying large files like /dev/urandom.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.