I tested current modelscope/FunClip at commit 7b699c81ad41d3b08e1005d8cacfc532fd9e3f33 on 2026-06-04. A fresh documented Python install with pip install -r requirements.txt resolves gradio==6.16.0, because requirements.txt leaves gradio unpinned.
The Gradio service created by funclip/launch.py exposes /gradio_api/file=. That route redirects to an external URL when the file value is an absolute HTTP URL:
curl -i 'http://127.0.0.1:19770/gradio_api/file=http%3A%2F%2Fevil.com'
Observed response:
HTTP/1.1 302 Found
Location: http://evil.com
This happens before file allow-list checks. In the resolved Gradio version, gradio.route_utils.file_fetch() returns a RedirectResponse when the supplied path_or_url looks like an HTTP URL.
Impact: any reachable FunClip Gradio deployment can be used as an open redirect on the trusted FunClip host. This can assist phishing or URL allow-list bypasses where the FunClip host is treated as trusted.
I also checked the older Gradio file-read and upload CVEs from this dependency cluster. I am not reporting those here: current gradio==6.16.0 blocked the local-file read checks, and the upload route did not return Access-Control-Allow-Origin for a non-local origin.
Suggested fix: reject /gradio_api/file= values beginning with http:// or https:// at the application or proxy boundary, and pin gradio to a version that rejects external URLs in the file route once an upstream Gradio fix is available.
I tested current
modelscope/FunClipat commit7b699c81ad41d3b08e1005d8cacfc532fd9e3f33on 2026-06-04. A fresh documented Python install withpip install -r requirements.txtresolvesgradio==6.16.0, becauserequirements.txtleavesgradiounpinned.The Gradio service created by
funclip/launch.pyexposes/gradio_api/file=. That route redirects to an external URL when the file value is an absolute HTTP URL:curl -i 'http://127.0.0.1:19770/gradio_api/file=http%3A%2F%2Fevil.com'Observed response:
This happens before file allow-list checks. In the resolved Gradio version,
gradio.route_utils.file_fetch()returns aRedirectResponsewhen the suppliedpath_or_urllooks like an HTTP URL.Impact: any reachable FunClip Gradio deployment can be used as an open redirect on the trusted FunClip host. This can assist phishing or URL allow-list bypasses where the FunClip host is treated as trusted.
I also checked the older Gradio file-read and upload CVEs from this dependency cluster. I am not reporting those here: current
gradio==6.16.0blocked the local-file read checks, and the upload route did not returnAccess-Control-Allow-Originfor a non-local origin.Suggested fix: reject
/gradio_api/file=values beginning withhttp://orhttps://at the application or proxy boundary, and pingradioto a version that rejects external URLs in the file route once an upstream Gradio fix is available.