Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-f8xq-q7px-wg8c

GitHub Security Advisory

Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer.

### Patches
The problem has been patched as of `2.8.11`, which escapes the data saved to the csv with single quotes.

### Workarounds
If you are using an older version of `gradio`, don't open csv files generated by `gradio` with Excel or similar spreadsheet programs.

Affected Packages

PyPI gradio
Affected versions: 0 (fixed in 2.8.11)

Related CVEs

CVE-2022-24770

Key Information

GHSA ID
GHSA-f8xq-q7px-wg8c
Published
March 18, 2022 11:11 PM
Last Modified
March 18, 2022 11:11 PM
CVSS Score
7.5 /10
Primary Ecosystem
PyPI
Primary Package
gradio
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.