CVE-2024-10569: Gradio zip bomb DoS — HIGH

Q: Is CVE-2024-10569 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10569, increasing the risk of exploitation.

Q: How to fix CVE-2024-10569?

1. Patch: upgrade Gradio beyond the affected range (>=4.0.0, <=5.0.0b2). No patched version is listed in NVD yet — monitor github.com/gradio-app/gradio for a release and pin to it immediately. 2. Workaround: enforce upload file-size limits at the reverse proxy (nginx: client_max_body_size 1m). 3. Workaround: disable file upload on Dataframe components if CSV ingestion is not required (set type='array' instead of 'filepath'). 4. Network control: restrict Gradio endpoints to authenticated users or internal networks only. 5. Detection: alert on unusually large multipart/form-data uploads to Gradio routes (/upload, /queue/join). Monitor for sudden memory spikes or process restarts on Gradio workers.

Q: What systems are affected by CVE-2024-10569?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference UI.

Q: What is the CVSS score for CVE-2024-10569?

CVE-2024-10569 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.61%.

CISO Take

Any Gradio deployment exposing a dataframe component to untrusted users is vulnerable to a trivial unauthenticated crash via zip bomb upload. Patch to a version beyond 5.0.0b2 or add file-size limits at the reverse proxy immediately. Risk is low for internal-only deployments; critical for public-facing ML demos or inference UIs.

What is the risk?

CVSS 7.5 HIGH with AV:N/AC:L/PR:N/UI:N — no authentication required, network-exploitable, low complexity. EPSS 0.00158 indicates minimal active exploitation observed. Not in CISA KEV. Real-world risk is moderate: Gradio is widely used to expose ML models as quick demos, and many deployments are public-facing with minimal hardening. The impact is confined to availability (no data exfiltration), but server crashes can disrupt production inference endpoints.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	>= 4.0.0, <= 5.0.0b2	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 45% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: upgrade Gradio beyond the affected range (>=4.0.0, <=5.0.0b2). No patched version is listed in NVD yet — monitor github.com/gradio-app/gradio for a release and pin to it immediately.
Workaround: enforce upload file-size limits at the reverse proxy (nginx: client_max_body_size 1m).
Workaround: disable file upload on Dataframe components if CSV ingestion is not required (set type='array' instead of 'filepath').
Network control: restrict Gradio endpoints to authenticated users or internal networks only.
Detection: alert on unusually large multipart/form-data uploads to Gradio routes (/upload, /queue/join). Monitor for sudden memory spikes or process restarts on Gradio workers.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.10.2 - AI system operation and monitoring A.6.2.5 - Safety and security in AI system design

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk tracking MANAGE-2.2 - Mechanisms for incident response and recovery

OWASP LLM Top 10

LLM04:2025 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-10569?

Any Gradio deployment exposing a dataframe component to untrusted users is vulnerable to a trivial unauthenticated crash via zip bomb upload. Patch to a version beyond 5.0.0b2 or add file-size limits at the reverse proxy immediately. Risk is low for internal-only deployments; critical for public-facing ML demos or inference UIs.

Is CVE-2024-10569 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10569, increasing the risk of exploitation.

How to fix CVE-2024-10569?

1. Patch: upgrade Gradio beyond the affected range (>=4.0.0, <=5.0.0b2). No patched version is listed in NVD yet — monitor github.com/gradio-app/gradio for a release and pin to it immediately. 2. Workaround: enforce upload file-size limits at the reverse proxy (nginx: client_max_body_size 1m). 3. Workaround: disable file upload on Dataframe components if CSV ingestion is not required (set type='array' instead of 'filepath'). 4. Network control: restrict Gradio endpoints to authenticated users or internal networks only. 5. Detection: alert on unusually large multipart/form-data uploads to Gradio routes (/upload, /queue/join). Monitor for sudden memory spikes or process restarts on Gradio workers.

What systems are affected by CVE-2024-10569?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference UI.

What is the CVSS score for CVE-2024-10569?

CVE-2024-10569 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.61%.

What is the AI security impact?

Affected AI Architectures

ML demo platformsmodel servinginference UI

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.10.2, A.6.2.5

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM04:2025

What are the technical details?

Original Advisory

A vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. The component uses pd.read_csv to process input values, which can accept compressed files. An attacker can exploit this by uploading a maliciously crafted zip bomb, leading to a server crash and causing a denial of service.

Exploitation Scenario

An unauthenticated attacker identifies a public-facing Gradio application — common for ML model demos on Hugging Face Spaces or self-hosted inference UIs. The attacker crafts a zip bomb (e.g., a recursive ZIP with 1 KB compressed → 1 GB expanded) and submits it as the CSV file input to a Dataframe component via the Gradio HTTP API. The server calls pd.read_csv on the upload, which decompresses the payload in memory. Memory exhaustion causes the Python process to crash or the host to OOM-kill it, taking the inference endpoint offline. The attack requires no credentials, no special knowledge of ML, and is repeatable — the attacker can loop the request to prevent recovery.

Weaknesses (CWE)

CWE-475 Undefined Behavior for Input to API Primary CWE-475 Undefined Behavior for Input to API

CWE-475 — Undefined Behavior for Input to API: The behavior of this function is undefined unless its control parameter is set to a specific value.

Source: MITRE CWE corpus.