CVE-2023-51449 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any Gradio app below version 4.11.0 with a public URL — Hugging Face Spaces or share=True demos — exposes the entire host filesystem to unauthenticated remote attackers. Upgrade to 4.11.0 immediately and rotate all secrets on affected hosts. Assume model weights, API keys, and credentials may already be exfiltrated.

Risk Assessment

High risk in practice. CVSS 7.5 understates operational exposure: zero authentication, trivial exploit, and the ML demo use case means thousands of instances run publicly by design. Hugging Face Spaces deployments are especially exposed. Sensitive assets at risk include .env files with LLM API keys, cloud credentials, proprietary model weights, and training data. No active KEV listing but the exploit pattern is well-known and automatable.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

81.5%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 81%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

Immediate: Upgrade gradio to >= 4.11.0 across all environments.
Audit: Inventory all Gradio instances — flag any running with share=True or deployed to Hugging Face Spaces on vulnerable versions.
Rotate: All secrets (API keys, cloud credentials, tokens) on hosts running vulnerable versions.
Detection: Grep web server / application logs for /file route requests containing traversal sequences: ../, %2e%2e, %252e%252e, encoded variants.
Harden: Place Gradio apps behind an authenticated reverse proxy in production; never expose share=True publicly for sensitive workloads.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain AI risk management

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-51449?

Any Gradio app below version 4.11.0 with a public URL — Hugging Face Spaces or share=True demos — exposes the entire host filesystem to unauthenticated remote attackers. Upgrade to 4.11.0 immediately and rotate all secrets on affected hosts. Assume model weights, API keys, and credentials may already be exfiltrated.

Is CVE-2023-51449 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-51449, increasing the risk of exploitation.

How to fix CVE-2023-51449?

1. Immediate: Upgrade gradio to >= 4.11.0 across all environments. 2. Audit: Inventory all Gradio instances — flag any running with share=True or deployed to Hugging Face Spaces on vulnerable versions. 3. Rotate: All secrets (API keys, cloud credentials, tokens) on hosts running vulnerable versions. 4. Detection: Grep web server / application logs for /file route requests containing traversal sequences: ../, %2e%2e, %252e%252e, encoded variants. 5. Harden: Place Gradio apps behind an authenticated reverse proxy in production; never expose share=True publicly for sensitive workloads.

What systems are affected by CVE-2023-51449?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference endpoints, training pipelines.

What is the CVSS score for CVE-2023-51449?

CVE-2023-51449 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 81.49%.

Technical Details

NVD Description

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

Exploitation Scenario

Attacker mass-scans Hugging Face Spaces and public Gradio instances for version disclosure via response headers or HTML metadata. Against a vulnerable target, they craft GET requests to /file=../../.env or /file=../../root/.aws/credentials — no authentication required, low complexity. Automated scripts enumerate common sensitive paths in seconds. Exfiltrated API keys fund further attacks (LLM abuse, cloud resource theft). Attack is silent, leaves minimal forensic trace beyond HTTP access logs that operators rarely monitor.