CVE-2024-10569 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2024-10569 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10569, increasing the risk of exploitation.

Q: How to fix CVE-2024-10569?

1. Patch: upgrade Gradio beyond the affected range (>=4.0.0, <=5.0.0b2). No patched version is listed in NVD yet — monitor github.com/gradio-app/gradio for a release and pin to it immediately. 2. Workaround: enforce upload file-size limits at the reverse proxy (nginx: client_max_body_size 1m). 3. Workaround: disable file upload on Dataframe components if CSV ingestion is not required (set type='array' instead of 'filepath'). 4. Network control: restrict Gradio endpoints to authenticated users or internal networks only. 5. Detection: alert on unusually large multipart/form-data uploads to Gradio routes (/upload, /queue/join). Monitor for sudden memory spikes or process restarts on Gradio workers.

Q: What systems are affected by CVE-2024-10569?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference UI.

Q: What is the CVSS score for CVE-2024-10569?

CVE-2024-10569 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.47%.

CISO Take

Any Gradio deployment exposing a dataframe component to untrusted users is vulnerable to a trivial unauthenticated crash via zip bomb upload. Patch to a version beyond 5.0.0b2 or add file-size limits at the reverse proxy immediately. Risk is low for internal-only deployments; critical for public-facing ML demos or inference UIs.

Risk Assessment

CVSS 7.5 HIGH with AV:N/AC:L/PR:N/UI:N — no authentication required, network-exploitable, low complexity. EPSS 0.00158 indicates minimal active exploitation observed. Not in CISA KEV. Real-world risk is moderate: Gradio is widely used to expose ML models as quick demos, and many deployments are public-facing with minimal hardening. The impact is confined to availability (no data exfiltration), but server crashes can disrupt production inference endpoints.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	>= 4.0.0, <= 5.0.0b2	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 65% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade Gradio beyond the affected range (>=4.0.0, <=5.0.0b2). No patched version is listed in NVD yet — monitor github.com/gradio-app/gradio for a release and pin to it immediately.
Workaround: enforce upload file-size limits at the reverse proxy (nginx: client_max_body_size 1m).
Workaround: disable file upload on Dataframe components if CSV ingestion is not required (set type='array' instead of 'filepath').
Network control: restrict Gradio endpoints to authenticated users or internal networks only.
Detection: alert on unusually large multipart/form-data uploads to Gradio routes (/upload, /queue/join). Monitor for sudden memory spikes or process restarts on Gradio workers.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.10.2 - AI system operation and monitoring A.6.2.5 - Safety and security in AI system design

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk tracking MANAGE-2.2 - Mechanisms for incident response and recovery

OWASP LLM Top 10

LLM04:2025 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-10569?

Any Gradio deployment exposing a dataframe component to untrusted users is vulnerable to a trivial unauthenticated crash via zip bomb upload. Patch to a version beyond 5.0.0b2 or add file-size limits at the reverse proxy immediately. Risk is low for internal-only deployments; critical for public-facing ML demos or inference UIs.

Is CVE-2024-10569 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10569, increasing the risk of exploitation.

How to fix CVE-2024-10569?

1. Patch: upgrade Gradio beyond the affected range (>=4.0.0, <=5.0.0b2). No patched version is listed in NVD yet — monitor github.com/gradio-app/gradio for a release and pin to it immediately. 2. Workaround: enforce upload file-size limits at the reverse proxy (nginx: client_max_body_size 1m). 3. Workaround: disable file upload on Dataframe components if CSV ingestion is not required (set type='array' instead of 'filepath'). 4. Network control: restrict Gradio endpoints to authenticated users or internal networks only. 5. Detection: alert on unusually large multipart/form-data uploads to Gradio routes (/upload, /queue/join). Monitor for sudden memory spikes or process restarts on Gradio workers.

What systems are affected by CVE-2024-10569?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference UI.

What is the CVSS score for CVE-2024-10569?

CVE-2024-10569 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.47%.

Technical Details

NVD Description

A vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. The component uses pd.read_csv to process input values, which can accept compressed files. An attacker can exploit this by uploading a maliciously crafted zip bomb, leading to a server crash and causing a denial of service.

Exploitation Scenario

An unauthenticated attacker identifies a public-facing Gradio application — common for ML model demos on Hugging Face Spaces or self-hosted inference UIs. The attacker crafts a zip bomb (e.g., a recursive ZIP with 1 KB compressed → 1 GB expanded) and submits it as the CSV file input to a Dataframe component via the Gradio HTTP API. The server calls pd.read_csv on the upload, which decompresses the payload in memory. Memory exhaustion causes the Python process to crash or the host to OOM-kill it, taking the inference endpoint offline. The attack requires no credentials, no special knowledge of ML, and is repeatable — the attacker can loop the request to prevent recovery.