CVE-2023-25823: Gradio hardcoded SSH key leaks

CISO Take

Every ML engineer using Gradio's share=True feature has been transmitting a private SSH key to every visitor since before February 2023 — granting attackers lateral access across all shared Gradio instances on the same FRP infrastructure. Patch to 3.19.1+ immediately, rotate any exposed SSH keys, and audit connection logs. Disable share=True in any environment that touches production data or models.

What is the risk?

Critically high. CVSS 9.8 with no authentication, privileges, or user interaction required — exploitation is passive and requires only connecting to a public share link. Gradio share=True is pervasively used across ML teams for demos, research prototypes, and Hugging Face Spaces, making blast radius extremely high. Despite being patched in 2023, version lag in ML tooling environments is common, and many deployments likely remain vulnerable.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Upgrade Gradio to 3.19.1+ immediately (minimum: 3.13.1).
Rotate all SSH keys on systems that ran vulnerable Gradio versions.
Audit FRP connection logs for unauthorized lateral access.
Replace share=True with hardened tunneling (Cloudflare Tunnel, nginx reverse proxy with auth).
Isolate ML demo environments from production infrastructure and model registries.
Block outbound FRP connections at the perimeter firewall if share feature is unused.
Inventory all Gradio deployments including transitive dependencies in ML pipelines.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Framework Inference AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security controls

NIST AI RMF

GOVERN-6.2 - Policies for AI supply chain and third-party risk MANAGE-2.2 - Third-party AI risk treatment mechanisms

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-25823?

Every ML engineer using Gradio's share=True feature has been transmitting a private SSH key to every visitor since before February 2023 — granting attackers lateral access across all shared Gradio instances on the same FRP infrastructure. Patch to 3.19.1+ immediately, rotate any exposed SSH keys, and audit connection logs. Disable share=True in any environment that touches production data or models.

Is CVE-2023-25823 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25823, increasing the risk of exploitation.

How to fix CVE-2023-25823?

1. Upgrade Gradio to 3.19.1+ immediately (minimum: 3.13.1). 2. Rotate all SSH keys on systems that ran vulnerable Gradio versions. 3. Audit FRP connection logs for unauthorized lateral access. 4. Replace share=True with hardened tunneling (Cloudflare Tunnel, nginx reverse proxy with auth). 5. Isolate ML demo environments from production infrastructure and model registries. 6. Block outbound FRP connections at the perimeter firewall if share feature is unused. 7. Inventory all Gradio deployments including transitive dependencies in ML pipelines.

What systems are affected by CVE-2023-25823?

This vulnerability affects the following AI/ML architecture patterns: ML demo environments, model serving, data science notebooks.

What is the CVSS score for CVE-2023-25823?

CVE-2023-25823 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.55%.

What is the AI security impact?

Affected AI Architectures

ML demo environmentsmodel servingdata science notebooks

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: GOVERN-6.2, MANAGE-2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.

Exploitation Scenario

Attacker finds a public Gradio share link (trivially discoverable via GitHub READMEs, social media, or search indexing of gradio.live URLs). On connecting, the vulnerable Gradio instance transmits its SSH private key. Attacker authenticates to the shared FRP server using this key and enumerates other active Gradio sessions on the same infrastructure. From there, they can observe model inputs/outputs in real time, extract model artifacts, harvest API keys from environment variables, or use exposed compute for cryptomining or further lateral movement. The attack leaves minimal forensic trace as no authentication failure occurs.

Weaknesses (CWE)

CWE-798 Use of Hard-coded Credentials Primary CWE-798 Use of Hard-coded Credentials

CWE-798 — Use of Hard-coded Credentials: The product contains hard-coded credentials, such as a password or cryptographic key.

[Architecture and Design] For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may provide some protection.
[Architecture and Design] For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Source: MITRE CWE corpus.