AI Threat Alert AI Threat Alert

CVE-2023-34239: Gradio: path traversal + SSRF exposes model files & infra

CRITICAL PoC AVAILABLE CISA: TRACK*
Published June 8, 2023
CISO Take

Any internet-exposed Gradio instance running below 3.34.0 is trivially exploitable by unauthenticated attackers to read arbitrary server files (model weights, .env, API keys) and pivot into internal infrastructure via SSRF. Upgrade to 3.34.0 immediately and audit all Gradio deployments for public exposure—ML teams routinely spin these up without security review. Treat any previously exposed instance as potentially compromised and rotate credentials.

Risk Assessment

Severity is justified: CVSS 9.1, no authentication, no user interaction, network-exploitable. Gradio is pervasive in ML prototyping and demo environments, which are routinely exposed publicly. The SSRF vector is especially dangerous in cloud environments where it can chain to instance metadata services (AWS IMDSv1, GCP) to steal IAM credentials. Low attack complexity means opportunistic scanning will find and exploit these at scale. No known active exploitation at time of publication, but the attack surface is wide and the barrier to exploit is effectively zero.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 51% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

Recommended Action

5 steps

  1. PATCH

    Upgrade to Gradio >= 3.34.0 immediately—this is the only fix, no workarounds exist per vendor.

  2. DISCOVER

    Scan your perimeter and internal networks for exposed Gradio instances (default port 7860); check Shodan for public-facing instances tied to your org.

  3. NETWORK CONTROLS

    Until patched, restrict Gradio to localhost or VPN-only access; block outbound HTTP from Gradio processes to cloud metadata IPs (169.254.169.254, 169.254.170.2).

  4. AUDIT LOGS

    Review web server logs for path traversal patterns (../, %2e%2e, encoded variants) and suspicious outbound proxy requests.

  5. ROTATE

    Assume any credentials in files accessible to the Gradio process on exposed instances may be compromised—rotate API keys, cloud credentials, and secrets.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Auth Bypass Framework API AML.T0007 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
A.6.1.2 - Information access restriction A.8.4 - Technical security controls for AI systems
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk management MANAGE-2.4 - Residual risks are monitored and managed
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-34239?

Any internet-exposed Gradio instance running below 3.34.0 is trivially exploitable by unauthenticated attackers to read arbitrary server files (model weights, .env, API keys) and pivot into internal infrastructure via SSRF. Upgrade to 3.34.0 immediately and audit all Gradio deployments for public exposure—ML teams routinely spin these up without security review. Treat any previously exposed instance as potentially compromised and rotate credentials.

Is CVE-2023-34239 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-34239, increasing the risk of exploitation.

How to fix CVE-2023-34239?

1. PATCH: Upgrade to Gradio >= 3.34.0 immediately—this is the only fix, no workarounds exist per vendor. 2. DISCOVER: Scan your perimeter and internal networks for exposed Gradio instances (default port 7860); check Shodan for public-facing instances tied to your org. 3. NETWORK CONTROLS: Until patched, restrict Gradio to localhost or VPN-only access; block outbound HTTP from Gradio processes to cloud metadata IPs (169.254.169.254, 169.254.170.2). 4. AUDIT LOGS: Review web server logs for path traversal patterns (../, %2e%2e, encoded variants) and suspicious outbound proxy requests. 5. ROTATE: Assume any credentials in files accessible to the Gradio process on exposed instances may be compromised—rotate API keys, cloud credentials, and secrets.

What systems are affected by CVE-2023-34239?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, model demo environments, training pipelines.

What is the CVSS score for CVE-2023-34239?

CVE-2023-34239 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.28%.

Technical Details

NVD Description

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

Attacker scans for Gradio instances on port 7860 (trivially findable via Shodan). Against an unpatched instance, they craft a file download request with path traversal: GET /file=../../.env or /file=../../../root/.aws/credentials. This returns plaintext API keys and cloud credentials with zero authentication. Separately, they abuse the URL proxy endpoint to make the server fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/ to harvest AWS IAM tokens with full EC2 instance permissions—enabling complete cloud account compromise. Both attacks are a single HTTP request, requiring no AI/ML knowledge and no persistent access.

Weaknesses (CWE)

CWE-20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
June 8, 2023
Last Modified
November 21, 2024
First Seen
June 8, 2023

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2024-4253 9.1

Gradio: CI/CD command injection enables secrets exfiltration

Same package: gradio
Back to Threat Feed