CVE-2023-34239: Gradio path traversal + SSRF

CISO Take

Any internet-exposed Gradio instance running below 3.34.0 is trivially exploitable by unauthenticated attackers to read arbitrary server files (model weights, .env, API keys) and pivot into internal infrastructure via SSRF. Upgrade to 3.34.0 immediately and audit all Gradio deployments for public exposure—ML teams routinely spin these up without security review. Treat any previously exposed instance as potentially compromised and rotate credentials.

What is the risk?

Severity is justified: CVSS 9.1, no authentication, no user interaction, network-exploitable. Gradio is pervasive in ML prototyping and demo environments, which are routinely exposed publicly. The SSRF vector is especially dangerous in cloud environments where it can chain to instance metadata services (AWS IMDSv1, GCP) to steal IAM credentials. Low attack complexity means opportunistic scanning will find and exploit these at scale. No known active exploitation at time of publication, but the attack surface is wide and the barrier to exploit is effectively zero.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

9.1 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 46% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

5 steps

PATCH

Upgrade to Gradio >= 3.34.0 immediately—this is the only fix, no workarounds exist per vendor.
DISCOVER

Scan your perimeter and internal networks for exposed Gradio instances (default port 7860); check Shodan for public-facing instances tied to your org.
NETWORK CONTROLS

Until patched, restrict Gradio to localhost or VPN-only access; block outbound HTTP from Gradio processes to cloud metadata IPs (169.254.169.254, 169.254.170.2).
AUDIT LOGS

Review web server logs for path traversal patterns (../, %2e%2e, encoded variants) and suspicious outbound proxy requests.
ROTATE

Assume any credentials in files accessible to the Gradio process on exposed instances may be compromised—rotate API keys, cloud credentials, and secrets.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Auth Bypass Framework API AML.T0007 - Discover AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

A.6.1.2 - Information access restriction A.8.4 - Technical security controls for AI systems

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk management MANAGE-2.4 - Residual risks are monitored and managed

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-34239?

Any internet-exposed Gradio instance running below 3.34.0 is trivially exploitable by unauthenticated attackers to read arbitrary server files (model weights, .env, API keys) and pivot into internal infrastructure via SSRF. Upgrade to 3.34.0 immediately and audit all Gradio deployments for public exposure—ML teams routinely spin these up without security review. Treat any previously exposed instance as potentially compromised and rotate credentials.

Is CVE-2023-34239 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-34239, increasing the risk of exploitation.

How to fix CVE-2023-34239?

1. PATCH: Upgrade to Gradio >= 3.34.0 immediately—this is the only fix, no workarounds exist per vendor. 2. DISCOVER: Scan your perimeter and internal networks for exposed Gradio instances (default port 7860); check Shodan for public-facing instances tied to your org. 3. NETWORK CONTROLS: Until patched, restrict Gradio to localhost or VPN-only access; block outbound HTTP from Gradio processes to cloud metadata IPs (169.254.169.254, 169.254.170.2). 4. AUDIT LOGS: Review web server logs for path traversal patterns (../, %2e%2e, encoded variants) and suspicious outbound proxy requests. 5. ROTATE: Assume any credentials in files accessible to the Gradio process on exposed instances may be compromised—rotate API keys, cloud credentials, and secrets.

What systems are affected by CVE-2023-34239?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, model demo environments, training pipelines.

What is the CVSS score for CVE-2023-34239?

CVE-2023-34239 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.65%.

What is the AI security impact?

Affected AI Architectures

model servingML development environmentsmodel demo environmentstraining pipelines

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9

ISO 42001: A.6.1.2, A.8.4

NIST AI RMF: GOVERN-6.1, MANAGE-2.4

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

Attacker scans for Gradio instances on port 7860 (trivially findable via Shodan). Against an unpatched instance, they craft a file download request with path traversal: GET /file=../../.env or /file=../../../root/.aws/credentials. This returns plaintext API keys and cloud credentials with zero authentication. Separately, they abuse the URL proxy endpoint to make the server fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/ to harvest AWS IAM tokens with full EC2 instance permissions—enabling complete cloud account compromise. Both attacks are a single HTTP request, requiring no AI/ML knowledge and no persistent access.

Weaknesses (CWE)

CWE-20 Improper Input Validation

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.