If you discover a security vulnerability, we would be very grateful if you could email us at gradio-team@huggingface.co. This is the preferred approach instead of opening a public issue. We take all vulnerability reports seriously, and will work to patch the vulnerability immediately. Whenever possible, we will credit the person or people who report the security vulnerabilities after it has been patched.
Security: gradio-app/gradio
Security
SECURITY.md
-
Gradio Absolute Path Traversal on Windows with Python 3.13+GHSA-39mp-8hj3-5c49 published
Feb 27, 2026 by freddyaboultonHigh -
Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session SecretGHSA-h3h8-3v2v-rg7m published
Feb 27, 2026 by freddyaboultonLow -
Open Redirect in OAuth FlowGHSA-pfjf-5gxr-995x published
Feb 27, 2026 by freddyaboultonModerate -
SSRF via Malicious `proxy_url` Injection in `gr.load()` Config ProcessingGHSA-jmh7-g254-2cq9 published
Feb 27, 2026 by freddyaboultonHigh -
Unauthorized File Copy via Path ManipulationGHSA-8jw3-6x8j-v96g published
May 29, 2025 by freddyaboultonModerate -
Gradio Blocked Path ACL Bypass VulnerabilityGHSA-j2jg-fq62-7c3h published
Jan 14, 2025 by freddyaboultonHigh -
Arbitrary file read with File and UploadButton componentsGHSA-rhm9-gp5p-5248 published
Nov 6, 2024 by freddyaboultonModerate -
Lack of integrity check on the downloaded FRP clientGHSA-8c87-gvhj-xm8m published
Oct 10, 2024 by abidlabsLow -
Several components’ post-process steps may allow arbitrary file leaksGHSA-4q3c-cj7g-jcwf published
Oct 10, 2024 by abidlabsHigh -
Dropdown component pre-process step does not limit the values to those in the dropdown listGHSA-26jh-r8g2-6fpr published
Oct 10, 2024 by abidlabsLow
Learn more about advisories related to gradio-app/gradio in the GitHub Advisory Database