CVE-2023-6572 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

Any Gradio-based ML interface exposed on your network—internal demos, model UIs, experimentation tools—is a direct shell access vector requiring low privileges and zero user interaction. Patch to post-commit 5b5af18 immediately and treat every Gradio endpoint as a critical asset, not a dev tool. Audit your AI/ML teams now: Gradio deployments are frequently spun up outside normal IT controls.

Risk Assessment

High. CVSS 8.1 understates real-world risk in ML environments where Gradio is routinely deployed with minimal hardening. Network-reachable, low-privilege, zero-click exploitation translates to near-certain compromise for unpatched instances. The ML ecosystem's culture of exposing Gradio publicly for demos dramatically widens the attack surface. Confidentiality and integrity both fully compromised; model weights, training data, and API keys stored on host are at immediate risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

2.5%

chance of exploitation in 30 days

Higher than 85% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

Recommended Action

7 steps

PATCH

Upgrade Gradio to a version incorporating commit 5b5af1899dd98d63e1f9b48a93601c2db1f56520 immediately.
INVENTORY

Enumerate all Gradio instances across teams—shadow IT is common in ML orgs.
ISOLATE

Place Gradio instances behind VPN/private networking; remove all public internet exposure unless strictly required.
AUTHENTICATE

Enforce authentication before Gradio UI access; disable share=True (public tunnels) in all non-demo contexts.
DETECT

Alert on unexpected child process spawning from Gradio/Python processes.
AUDIT

Review Gradio deployments for evidence of prior exploitation (unusual processes, new files, outbound connections).
HARDEN

Run Gradio in containers with minimal OS privileges and network egress controls.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Supply Chain Framework Inference API AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.2 - AI system risk assessment 9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system resilience

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-6572?

Any Gradio-based ML interface exposed on your network—internal demos, model UIs, experimentation tools—is a direct shell access vector requiring low privileges and zero user interaction. Patch to post-commit 5b5af18 immediately and treat every Gradio endpoint as a critical asset, not a dev tool. Audit your AI/ML teams now: Gradio deployments are frequently spun up outside normal IT controls.

Is CVE-2023-6572 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6572, increasing the risk of exploitation.

How to fix CVE-2023-6572?

1. PATCH: Upgrade Gradio to a version incorporating commit 5b5af1899dd98d63e1f9b48a93601c2db1f56520 immediately. 2. INVENTORY: Enumerate all Gradio instances across teams—shadow IT is common in ML orgs. 3. ISOLATE: Place Gradio instances behind VPN/private networking; remove all public internet exposure unless strictly required. 4. AUTHENTICATE: Enforce authentication before Gradio UI access; disable share=True (public tunnels) in all non-demo contexts. 5. DETECT: Alert on unexpected child process spawning from Gradio/Python processes. 6. AUDIT: Review Gradio deployments for evidence of prior exploitation (unusual processes, new files, outbound connections). 7. HARDEN: Run Gradio in containers with minimal OS privileges and network egress controls.

What systems are affected by CVE-2023-6572?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, agent frameworks, training pipelines, ML experimentation environments.

What is the CVSS score for CVE-2023-6572?

CVE-2023-6572 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 2.45%.

Technical Details

NVD Description

Command Injection in GitHub repository gradio-app/gradio prior to main.

Exploitation Scenario

An attacker with a low-privilege account (or access to a public-facing Gradio demo with no auth) crafts a malicious input payload exploiting the command injection flaw in Gradio's input processing. The injected command executes with the privileges of the Python process hosting the ML model—typically a service account with broad filesystem access. The attacker establishes a reverse shell, extracts model weights and training data, harvests cloud credentials from environment variables, then pivots to cloud infrastructure or CI/CD pipelines. In orgs using Gradio as an agent interface, the same foothold enables prompt injection against downstream LLM calls. The entire chain requires no special ML knowledge—standard command injection tooling suffices.