Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-1561 PoC — Arbitrary Local File Read via Component Method Invocation in gradio-app/gradio

Source
https://github.com/DiabloHTB/Nuclei-Template-CVE-2024-1561
Associated Vulnerability
Title:Arbitrary Local File Read via Component Method Invocation in gradio-app/gradio (CVE-2024-1561)
Description:An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
Description
Nuclei Templates
Readme
# CVE-2024-1561 Nuclei Template

This Nuclei template is designed to detect the Gradio CVE-2024-1561 vulnerability in web applications. Gradio is a Python library for creating customizable UI components around machine learning models. This vulnerability may allow attackers to read files from the server.


###  Running the template

Clone this repository to your local machine and run using the `-t` flag:

```bash
git clone https://github.com/DiabloHTB/Nuclei-Template-CVE-2024-1561
cd Nuclei-Template-CVE-2024-1561
nuclei -target <URL> -t CVE-2024-1561.yaml
```

Example:
```bash
┌──(gradio-env)─(diablo㉿diablo)-[~/gradio]
└─$ nuclei -target http://127.0.0.1:7860 -t CVE-2024-1561.yaml 

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.6

                projectdiscovery.io

[INF] Current nuclei version: v3.2.6 (outdated)
[INF] Current nuclei-templates version: v9.8.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 65
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2024-1561] [http] [high] http://127.0.0.1:7860/file=/tmp/gradio/83bbb89b677a9cca3d271a392fa1aa2a10853c32/passwd

```

### PoC
The template tests for `/etc/passwd` presence matching with `root` user.
To fully exploit the target check the following :   

https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338

https://github.com/DiabloHTB/CVE-2024-1561




Disclaimer
This template is provided for educational and informational purposes only. Usage of this template for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this template.
File Snapshot

 [4.0K]  /data/pocs/1936b71f9f1ddda2a31cccc32a6fbc6c85827b93
├── [1.8K]  CVE-2024-1561.yaml
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →