CVE-2021-43831 — HIGH (CVSS 7.7) AI Security Vulnerability

Q: Is CVE-2021-43831 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-43831, increasing the risk of exploitation.

Q: How to fix CVE-2021-43831?

1. Immediate: Upgrade all Gradio instances to >= 2.5.0 (patch released 2021-12-15). 2. If upgrade not immediately possible: restrict Gradio interfaces to authenticated internal networks only — remove public sharing links. 3. Credential rotation: assume any Gradio instance running < 2.5.0 was compromised; rotate all secrets accessible on the host (API keys, cloud credentials, SSH keys). 4. Detection: audit web server logs for Gradio instances for unusual file path parameters or directory traversal sequences (../, %2e%2e%2f). 5. Inventory: identify all Gradio deployments in your environment using package management tools (pip list, requirements.txt scanning). 6. Preventive control: enforce file sandbox restrictions (chroot, Docker with limited mounts) for any ML demo/serving framework.

Q: What systems are affected by CVE-2021-43831?

This vulnerability affects the following AI/ML architecture patterns: ml demos and prototyping, model serving, inference servers, training pipelines, data science workstations.

Q: What is the CVSS score for CVE-2021-43831?

CVE-2021-43831 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 30.34%.

CISO Take

Any team running Gradio < 2.5.0 for ML demos or model prototyping is exposing their host filesystem to anyone with the link — including cloud credentials, model weights, and training data. Patch to 2.5.0+ immediately and audit what was accessible on any public-facing Gradio instance. If the instance ran on a cloud VM, rotate all credentials and API keys stored on that host.

Risk Assessment

High risk for AI/ML teams running shared demo environments. The CVSS Scope:Changed modifier is critical here — the vulnerable Gradio process can expose files belonging to the underlying OS, not just its own data. Low attack complexity and low privilege requirement mean any user with the Gradio URL can attempt exploitation without technical sophistication. ML demo environments are particularly dangerous targets because they frequently co-locate model weights, training datasets, .env files with API keys (HuggingFace tokens, OpenAI keys, cloud credentials), and SSH keys on the same host.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

7.7 / 10

EPSS

30.3%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 30%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

Recommended Action

6 steps

Immediate: Upgrade all Gradio instances to >= 2.5.0 (patch released 2021-12-15).
If upgrade not immediately possible: restrict Gradio interfaces to authenticated internal networks only — remove public sharing links.
Credential rotation: assume any Gradio instance running < 2.5.0 was compromised; rotate all secrets accessible on the host (API keys, cloud credentials, SSH keys).
Detection: audit web server logs for Gradio instances for unusual file path parameters or directory traversal sequences (../, %2e%2e%2f).
Inventory: identify all Gradio deployments in your environment using package management tools (pip list, requirements.txt scanning).
Preventive control: enforce file sandbox restrictions (chroot, Docker with limited mounts) for any ML demo/serving framework.

Classification

Data Extraction Privacy Violation Framework Inference AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security by design A.9.4 - Protection of AI system data

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MEASURE 2.6 - Risk measurement of AI trustworthiness properties

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-43831?

Any team running Gradio < 2.5.0 for ML demos or model prototyping is exposing their host filesystem to anyone with the link — including cloud credentials, model weights, and training data. Patch to 2.5.0+ immediately and audit what was accessible on any public-facing Gradio instance. If the instance ran on a cloud VM, rotate all credentials and API keys stored on that host.

Is CVE-2021-43831 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-43831, increasing the risk of exploitation.

How to fix CVE-2021-43831?

1. Immediate: Upgrade all Gradio instances to >= 2.5.0 (patch released 2021-12-15). 2. If upgrade not immediately possible: restrict Gradio interfaces to authenticated internal networks only — remove public sharing links. 3. Credential rotation: assume any Gradio instance running < 2.5.0 was compromised; rotate all secrets accessible on the host (API keys, cloud credentials, SSH keys). 4. Detection: audit web server logs for Gradio instances for unusual file path parameters or directory traversal sequences (../, %2e%2e%2f). 5. Inventory: identify all Gradio deployments in your environment using package management tools (pip list, requirements.txt scanning). 6. Preventive control: enforce file sandbox restrictions (chroot, Docker with limited mounts) for any ML demo/serving framework.

What systems are affected by CVE-2021-43831?

This vulnerability affects the following AI/ML architecture patterns: ml demos and prototyping, model serving, inference servers, training pipelines, data science workstations.

What is the CVSS score for CVE-2021-43831?

CVE-2021-43831 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 30.34%.

Technical Details

NVD Description

Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.

Exploitation Scenario

An adversary conducting ML supply chain reconnaissance shares a legitimate Gradio-powered model demo link (or finds one publicly exposed). With knowledge of common file paths, they craft requests targeting /etc/passwd to enumerate users, then ~/.ssh/id_rsa for SSH keys, /home/user/.env or /opt/app/.env for API credentials (HuggingFace tokens, OpenAI keys), and ~/.config/gcloud/credentials.json for cloud access. Since Gradio interfaces are frequently run by data scientists on personal workstations or shared GPU instances with broad file system access, the adversary can exfiltrate proprietary model weights, training datasets, and cloud credentials — enabling lateral movement, IP theft, or training data poisoning in follow-on operations.