CVE-2023-25823 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Every ML engineer using Gradio's share=True feature has been transmitting a private SSH key to every visitor since before February 2023 — granting attackers lateral access across all shared Gradio instances on the same FRP infrastructure. Patch to 3.19.1+ immediately, rotate any exposed SSH keys, and audit connection logs. Disable share=True in any environment that touches production data or models.

Risk Assessment

Critically high. CVSS 9.8 with no authentication, privileges, or user interaction required — exploitation is passive and requires only connecting to a public share link. Gradio share=True is pervasively used across ML teams for demos, research prototypes, and Hugging Face Spaces, making blast radius extremely high. Despite being patched in 2023, version lag in ML tooling environments is common, and many deployments likely remain vulnerable.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 61% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

Upgrade Gradio to 3.19.1+ immediately (minimum: 3.13.1).
Rotate all SSH keys on systems that ran vulnerable Gradio versions.
Audit FRP connection logs for unauthorized lateral access.
Replace share=True with hardened tunneling (Cloudflare Tunnel, nginx reverse proxy with auth).
Isolate ML demo environments from production infrastructure and model registries.
Block outbound FRP connections at the perimeter firewall if share feature is unused.
Inventory all Gradio deployments including transitive dependencies in ML pipelines.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Privacy Violation Framework Inference AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security controls

NIST AI RMF

GOVERN-6.2 - Policies for AI supply chain and third-party risk MANAGE-2.2 - Third-party AI risk treatment mechanisms

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-25823?

Every ML engineer using Gradio's share=True feature has been transmitting a private SSH key to every visitor since before February 2023 — granting attackers lateral access across all shared Gradio instances on the same FRP infrastructure. Patch to 3.19.1+ immediately, rotate any exposed SSH keys, and audit connection logs. Disable share=True in any environment that touches production data or models.

Is CVE-2023-25823 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25823, increasing the risk of exploitation.

How to fix CVE-2023-25823?

1. Upgrade Gradio to 3.19.1+ immediately (minimum: 3.13.1). 2. Rotate all SSH keys on systems that ran vulnerable Gradio versions. 3. Audit FRP connection logs for unauthorized lateral access. 4. Replace share=True with hardened tunneling (Cloudflare Tunnel, nginx reverse proxy with auth). 5. Isolate ML demo environments from production infrastructure and model registries. 6. Block outbound FRP connections at the perimeter firewall if share feature is unused. 7. Inventory all Gradio deployments including transitive dependencies in ML pipelines.

What systems are affected by CVE-2023-25823?

This vulnerability affects the following AI/ML architecture patterns: ML demo environments, model serving, data science notebooks.

What is the CVSS score for CVE-2023-25823?

CVE-2023-25823 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.41%.

Technical Details

NVD Description

Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.

Exploitation Scenario

Attacker finds a public Gradio share link (trivially discoverable via GitHub READMEs, social media, or search indexing of gradio.live URLs). On connecting, the vulnerable Gradio instance transmits its SSH private key. Attacker authenticates to the shared FRP server using this key and enumerates other active Gradio sessions on the same infrastructure. From there, they can observe model inputs/outputs in real time, extract model artifacts, harvest API keys from environment variables, or use exposed compute for cryptomining or further lateral movement. The attack leaves minimal forensic trace as no authentication failure occurs.