AI Threat Alert

CVE-2021-43831: Gradio: path traversal exposes host filesystem to users

HIGH PoC AVAILABLE NUCLEI TEMPLATE
Published December 15, 2021
CISO Take

Any team running Gradio < 2.5.0 for ML demos or model prototyping is exposing their host filesystem to anyone with the link — including cloud credentials, model weights, and training data. Patch to 2.5.0+ immediately and audit what was accessible on any public-facing Gradio instance. If the instance ran on a cloud VM, rotate all credentials and API keys stored on that host.

What is the risk?

High risk for AI/ML teams running shared demo environments. The CVSS Scope:Changed modifier is critical here — the vulnerable Gradio process can expose files belonging to the underlying OS, not just its own data. Low attack complexity and low privilege requirement mean any user with the Gradio URL can attempt exploitation without technical sophistication. ML demo environments are particularly dangerous targets because they frequently co-locate model weights, training datasets, .env files with API keys (HuggingFace tokens, OpenAI keys, cloud credentials), and SSH keys on the same host.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
3.8%
chance of exploitation in 30 days
Higher than 89% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

6 steps

  1. Immediate: Upgrade all Gradio instances to >= 2.5.0 (patch released 2021-12-15).

  2. If upgrade not immediately possible: restrict Gradio interfaces to authenticated internal networks only — remove public sharing links.

  3. Credential rotation: assume any Gradio instance running < 2.5.0 was compromised; rotate all secrets accessible on the host (API keys, cloud credentials, SSH keys).

  4. Detection: audit web server logs for Gradio instances for unusual file path parameters or directory traversal sequences (../, %2e%2e%2f).

  5. Inventory: identify all Gradio deployments in your environment using package management tools (pip list, requirements.txt scanning).

  6. Preventive control: enforce file sandbox restrictions (chroot, Docker with limited mounts) for any ML demo/serving framework.

How is it classified?

Data Extraction Privacy Violation Framework Inference AML.T0025 AML.T0035 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security by design A.9.4 - Protection of AI system data
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MEASURE 2.6 - Risk measurement of AI trustworthiness properties
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2021-43831?

Any team running Gradio < 2.5.0 for ML demos or model prototyping is exposing their host filesystem to anyone with the link — including cloud credentials, model weights, and training data. Patch to 2.5.0+ immediately and audit what was accessible on any public-facing Gradio instance. If the instance ran on a cloud VM, rotate all credentials and API keys stored on that host.

Is CVE-2021-43831 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-43831, increasing the risk of exploitation.

How to fix CVE-2021-43831?

1. Immediate: Upgrade all Gradio instances to >= 2.5.0 (patch released 2021-12-15). 2. If upgrade not immediately possible: restrict Gradio interfaces to authenticated internal networks only — remove public sharing links. 3. Credential rotation: assume any Gradio instance running < 2.5.0 was compromised; rotate all secrets accessible on the host (API keys, cloud credentials, SSH keys). 4. Detection: audit web server logs for Gradio instances for unusual file path parameters or directory traversal sequences (../, %2e%2e%2f). 5. Inventory: identify all Gradio deployments in your environment using package management tools (pip list, requirements.txt scanning). 6. Preventive control: enforce file sandbox restrictions (chroot, Docker with limited mounts) for any ML demo/serving framework.

What systems are affected by CVE-2021-43831?

This vulnerability affects the following AI/ML architecture patterns: ml demos and prototyping, model serving, inference servers, training pipelines, data science workstations.

What is the CVSS score for CVE-2021-43831?

CVE-2021-43831 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 3.79%.

What is the AI security impact?

Affected AI Architectures

ml demos and prototypingmodel servinginference serverstraining pipelinesdata science workstations

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6, A.9.4
NIST AI RMF: MANAGE 2.2, MEASURE 2.6
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.

Exploitation Scenario

An adversary conducting ML supply chain reconnaissance shares a legitimate Gradio-powered model demo link (or finds one publicly exposed). With knowledge of common file paths, they craft requests targeting /etc/passwd to enumerate users, then ~/.ssh/id_rsa for SSH keys, /home/user/.env or /opt/app/.env for API credentials (HuggingFace tokens, OpenAI keys), and ~/.config/gcloud/credentials.json for cloud access. Since Gradio interfaces are frequently run by data scientists on personal workstations or shared GPU instances with broad file system access, the adversary can exfiltrate proprietary model weights, training datasets, and cloud credentials — enabling lateral movement, IP theft, or training data poisoning in follow-on operations.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
December 15, 2021
Last Modified
November 21, 2024
First Seen
December 15, 2021

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2021/CVE-2021-43831.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed