What is CVE-2025-48889?

CVE-2025-48889 is a medium-severity vulnerability in Gradio-app Gradio, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 5.3/10. Published 2025-05-30.

How severe is CVE-2025-48889?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2025-48889 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Arbitrary file upload in Gradio-app Gradio

CVE-2025-48889

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's f…

Vulnerability class: Unrestricted File Upload

EPSS: 0.015 (81.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Gradio-app Gradio — versions < 5.31.0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/gradio-app/gradio/security/advisories/GHSA-8jw3-6x8j-v96g (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2025-48889?: CVE-2025-48889 is a medium-severity vulnerability in Gradio-app Gradio, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 5.3/10. Published 2025-05-30.
How severe is CVE-2025-48889?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2025-48889 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.