Primary

Context

Gradio Zip Bomb Vulnerability in Dataframe Component Allowing Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in the dataframe component of Gradio (version git 98cbcae). This issue arises from the component's use of pd.read_csv to process input values, which can accept compressed files. An attacker could exploit this by uploading a maliciously crafted zip bomb, leading to a server crash.

Impact

Exploitation of this vulnerability causes the Gradio server to crash, terminating the process and disrupting service.

Reproduction

The vulnerability can be reproduced by creating a zip bomb—such as a gzip file that expands to a large size— and uploading it through a Gradio interface that accepts CSV files. The server will crash due to the excessive memory consumption.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gradio Zip Bomb Vulnerability in Dataframe Component Allowing Denial-of-Service

Vulnerability

Impact

Reproduction

Affected Products

gradio-app/gradio

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating