AI Threat Alert

CVE-2024-0964: Gradio: unauthenticated LFI exposes full server filesystem

CRITICAL PoC AVAILABLE CISA: TRACK*
Published February 5, 2024
CISO Take

Any internet-exposed Gradio instance is vulnerable to unauthenticated arbitrary file read — attackers send a crafted JSON payload to the API and can retrieve model weights, environment files, API keys, and training data. CVSS 9.4 with no auth required means blast radius is immediate and total for exposed deployments. Patch to a fixed version now; if you cannot patch, firewall Gradio API endpoints and treat any public-facing instance as potentially compromised.

What is the risk?

Critically high. The attack requires no authentication, no user interaction, and is trivially exploitable from the internet. Gradio is ubiquitously deployed in ML teams for model demos, internal tooling, and Hugging Face Spaces — the attack surface is massive. Exploitation does not require AI/ML knowledge, only the ability to send an HTTP request with a path traversal string in a JSON body. In ML environments, servers typically co-locate model weights, training data, cloud credentials, and .env files — all directly accessible via this vulnerability.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
9.4 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 57% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A Low

What should I do?

6 steps

  1. Patch: Upgrade Gradio to the version containing commit d76bcaaaf073 (check GitHub advisory for minimum safe version).

  2. Network controls: If immediate patching is not possible, restrict Gradio API access to trusted IP ranges or put behind authenticated reverse proxy.

  3. Detection: Search web/app server logs for path traversal patterns in JSON bodies (../../../, %2e%2e%2f, etc.) directed at Gradio API endpoints.

  4. Secrets rotation: If Gradio was publicly exposed prior to patching, rotate all credentials that were present on the host — API keys, cloud credentials, service tokens.

  5. Audit exposure: Enumerate all Gradio instances via internal asset inventory; assume any public instance without patching confirmation has been read-accessed.

  6. Hugging Face Spaces: If using HF Spaces with Gradio, verify HF has applied the patch or redeploy spaces with updated Gradio version.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Auth Bypass Framework Inference API AML.T0007 AML.T0025 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - Security of AI system
NIST AI RMF
MANAGE-2.4 - Residual risks are managed
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-0964?

Any internet-exposed Gradio instance is vulnerable to unauthenticated arbitrary file read — attackers send a crafted JSON payload to the API and can retrieve model weights, environment files, API keys, and training data. CVSS 9.4 with no auth required means blast radius is immediate and total for exposed deployments. Patch to a fixed version now; if you cannot patch, firewall Gradio API endpoints and treat any public-facing instance as potentially compromised.

Is CVE-2024-0964 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-0964, increasing the risk of exploitation.

How to fix CVE-2024-0964?

1. Patch: Upgrade Gradio to the version containing commit d76bcaaaf073 (check GitHub advisory for minimum safe version). 2. Network controls: If immediate patching is not possible, restrict Gradio API access to trusted IP ranges or put behind authenticated reverse proxy. 3. Detection: Search web/app server logs for path traversal patterns in JSON bodies (../../../, %2e%2e%2f, etc.) directed at Gradio API endpoints. 4. Secrets rotation: If Gradio was publicly exposed prior to patching, rotate all credentials that were present on the host — API keys, cloud credentials, service tokens. 5. Audit exposure: Enumerate all Gradio instances via internal asset inventory; assume any public instance without patching confirmation has been read-accessed. 6. Hugging Face Spaces: If using HF Spaces with Gradio, verify HF has applied the patch or redeploy spaces with updated Gradio version.

What systems are affected by CVE-2024-0964?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, AI prototype APIs, inference endpoints.

What is the CVSS score for CVE-2024-0964?

CVE-2024-0964 has a CVSS v3.1 base score of 9.4 (CRITICAL). The EPSS exploitation probability is 0.95%.

What is the AI security impact?

Affected AI Architectures

model servingML development environmentsAI prototype APIsinference endpoints

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.

Exploitation Scenario

An adversary scanning for ML tooling endpoints discovers a public-facing Gradio demo endpoint (common on ports 7860/7861 or via Hugging Face Spaces). They send a POST request to the Gradio API with a JSON payload containing a path traversal string targeting sensitive files (e.g., ../../../../etc/passwd, then ../../../../app/.env). The server returns file contents directly. The attacker enumerates common ML environment paths to extract: Hugging Face tokens (used to download/push private models), OpenAI or Anthropic API keys (for billing abuse or prompt injection at scale), AWS/GCP credentials (for cloud pivot), and proprietary model weights or fine-tuning datasets. If the Gradio instance runs in a container with mounted secrets, the exfiltration is immediate and requires no further exploitation steps.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

References

Timeline

Published
February 5, 2024
Last Modified
November 21, 2024
First Seen
February 5, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-4253 9.1

Gradio: CI/CD command injection enables secrets exfiltration

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed