Cyber Resilience

CVE-2025-48889

MediumPublic PoC

Published: 30 May 2025

Published
30 May 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0147 81.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48889 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gradio Project Gradio. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

Deeper analysis

Gradio is an open-source Python package used to build demos and web interfaces for machine learning models and arbitrary Python functions. Prior to version 5.31.0, its flagging feature contained an arbitrary file copy vulnerability that permits copying of any readable file from the server filesystem, tracked as CWE-434 and assigned a CVSS 5.3 rating reflecting network-accessible impact limited to availability.

Unauthenticated remote attackers can trigger the flaw to duplicate files such as /dev/urandom onto the server, exhausting disk space and producing a denial-of-service condition without the ability to read the copied content.

The referenced GitHub Security Advisory GHSA-8jw3-6x8j-v96g states that the issue is resolved in Gradio 5.31.0.

The associated EPSS score remains low and unchanged at 0.0147 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated…

more

attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gradio, machine learning

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.001 OS Exhaustion Flood Impact
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
Why these techniques?

CVE-2025-48889 allows unauthenticated remote exploitation of a public-facing Gradio web application (T1190) via path manipulation in the flagging feature to copy arbitrary readable files, facilitating OS resource exhaustion (T1499.001) through disk space exhaustion by copying large files like /dev/urandom.

Affected Assets

gradio project
gradio
5.25.2 — 5.31.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References