Summary
TaskMatrix currently lists gradio in requirements.txt without a version bound.
That means an environment that resolves or pins an older Gradio release can install versions covered by several public Gradio advisories. I am not claiming that every fresh install today selects a vulnerable release. This is a dependency constraint issue: the project does not currently prevent known vulnerable Gradio versions from being installed.
Relevant line:
requirements.txt
line 12: gradio
Current source:
https://github.com/chenfei-wu/TaskMatrix/blob/main/requirements.txt#L12
Advisory examples
These are public advisories whose vulnerable ranges are still allowed by the unpinned gradio requirement:
CVE-2024-1728 / GHSA-m842-4qm8-7gpq: affected < 4.19.2
CVE-2024-1727 / GHSA-48cq-79qq-6f7x: affected < 4.19.2
CVE-2024-47084 / GHSA-3c67-5hwx-f6wx: affected < 4.44.0
CVE-2024-47869 / GHSA-j757-pf57-f8r4: affected < 4.44.0
CVE-2024-47164 / GHSA-77xq-6g77-h274: affected < 5.0.0
CVE-2025-23042 / GHSA-j2jg-fq62-7c3h: affected < 5.11.0
CVE-2025-48889 / GHSA-8jw3-6x8j-v96g: affected < 5.31.0
Suggested fix
Please consider pinning or lower-bounding Gradio to a maintained patched release, then updating any install documentation that expects the unbounded dependency.
For example, the important property is that the requirement should exclude the affected ranges above, rather than leaving the resolver free to choose any Gradio version.
Notes
This report is only about the gradio dependency line. I am not reporting the old opencv-python <= 3.3.1.11 advisory windows here because the opencv-python package on PyPI starts at 3.4.0.14, so those older vulnerable windows do not appear to be installable through PyPI.
No real credentials or private data were used for this report.
Summary
TaskMatrix currently lists
gradioinrequirements.txtwithout a version bound.That means an environment that resolves or pins an older Gradio release can install versions covered by several public Gradio advisories. I am not claiming that every fresh install today selects a vulnerable release. This is a dependency constraint issue: the project does not currently prevent known vulnerable Gradio versions from being installed.
Relevant line:
Current source:
Advisory examples
These are public advisories whose vulnerable ranges are still allowed by the unpinned
gradiorequirement:Suggested fix
Please consider pinning or lower-bounding Gradio to a maintained patched release, then updating any install documentation that expects the unbounded dependency.
For example, the important property is that the requirement should exclude the affected ranges above, rather than leaving the resolver free to choose any Gradio version.
Notes
This report is only about the
gradiodependency line. I am not reporting the oldopencv-python <= 3.3.1.11advisory windows here because theopencv-pythonpackage on PyPI starts at3.4.0.14, so those older vulnerable windows do not appear to be installable through PyPI.No real credentials or private data were used for this report.