CVE-2024-10624: Gradio ReDoS — HIGH

CISO Take

An unauthenticated attacker can send a single crafted HTTP request to any Gradio deployment using the gr.Datetime component and pin server CPU at 100%, taking down your ML inference endpoint. No exploit sophistication required — the attack surface is any publicly exposed Gradio interface. Upgrade Gradio past the affected range (4.38.0–5.0.0-beta.2) immediately; if you cannot patch, block or rate-limit access to Gradio datetime endpoints at the WAF layer.

What is the risk?

CVSS 7.5 (High) with low EPSS (0.78%) — not actively exploited in the wild as of disclosure, but trivially weaponizable. No authentication, no privileges, no user interaction required. The blast radius is availability only (no data exfiltration), but for AI teams running Gradio as a production inference UI or internal demo platform, a sustained attack renders the service completely unavailable. Risk is elevated for organizations exposing Gradio to the public internet without rate limiting or WAF controls.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	>= 4.38.0, <= 5.0.0-beta.2	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

1.0%

chance of exploitation in 30 days

Higher than 59% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade Gradio to a version beyond 5.0.0-beta.2; verify the fix for CVE-2024-10624 is included in the target version changelog.
WORKAROUND (if patching is delayed): Remove or disable gr.Datetime components from production interfaces. Replace with a plain text input with server-side validation using a non-backtracking regex or datetime parsing library.
WAF/RATE LIMITING: Implement request rate limiting on Gradio endpoints (e.g., nginx limit_req or Cloudflare rate limiting). Limit input field length at the reverse proxy layer.
DETECTION

Alert on sustained high CPU usage (>80% for >30s) in Gradio worker processes. Log and inspect incoming datetime field values for anomalous patterns (excessive whitespace, unusual character repetition).
ISOLATION

Run Gradio processes in containers with CPU limits (e.g., Docker --cpus=1) to contain blast radius.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to sustain AI RMF plans

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-10624?

An unauthenticated attacker can send a single crafted HTTP request to any Gradio deployment using the gr.Datetime component and pin server CPU at 100%, taking down your ML inference endpoint. No exploit sophistication required — the attack surface is any publicly exposed Gradio interface. Upgrade Gradio past the affected range (4.38.0–5.0.0-beta.2) immediately; if you cannot patch, block or rate-limit access to Gradio datetime endpoints at the WAF layer.

Is CVE-2024-10624 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10624, increasing the risk of exploitation.

How to fix CVE-2024-10624?

1. PATCH: Upgrade Gradio to a version beyond 5.0.0-beta.2; verify the fix for CVE-2024-10624 is included in the target version changelog. 2. WORKAROUND (if patching is delayed): Remove or disable gr.Datetime components from production interfaces. Replace with a plain text input with server-side validation using a non-backtracking regex or datetime parsing library. 3. WAF/RATE LIMITING: Implement request rate limiting on Gradio endpoints (e.g., nginx limit_req or Cloudflare rate limiting). Limit input field length at the reverse proxy layer. 4. DETECTION: Alert on sustained high CPU usage (>80% for >30s) in Gradio worker processes. Log and inspect incoming datetime field values for anomalous patterns (excessive whitespace, unusual character repetition). 5. ISOLATION: Run Gradio processes in containers with CPU limits (e.g., Docker --cpus=1) to contain blast radius.

What systems are affected by CVE-2024-10624?

This vulnerability affects the following AI/ML architecture patterns: ML demo interfaces, model serving, AI prototyping platforms, HuggingFace Spaces deployments.

What is the CVSS score for CVE-2024-10624?

CVE-2024-10624 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.01%.

What is the AI security impact?

Affected AI Architectures

ML demo interfacesmodel servingAI prototyping platformsHuggingFace Spaces deployments

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.

Exploitation Scenario

An adversary targeting a competitor's publicly accessible ML demo built on Gradio identifies a gr.Datetime input field. They craft an HTTP POST request with a datetime value containing excessive whitespace padding designed to trigger catastrophic backtracking in Python's re engine against the pattern `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$`. A simple bash loop sending 10–20 concurrent requests pegs the Gradio Python process at 100% CPU. Because Gradio runs single-threaded by default, no other inference requests can be processed. The attacker sustains the attack with minimal resources (a single low-bandwidth connection suffices) while the victim's model serving endpoint is completely unavailable. For HuggingFace Spaces or public demo deployments, this requires zero reconnaissance beyond discovering the Gradio interface.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-400 Uncontrolled Resource Consumption Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

[Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
[System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.