AI Threat Alert AI Threat Alert

CVE-2024-10624: Gradio: ReDoS in DateTime causes CPU exhaustion DoS

GHSA-rvgh-pr46-x7gg HIGH PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

An unauthenticated attacker can send a single crafted HTTP request to any Gradio deployment using the gr.Datetime component and pin server CPU at 100%, taking down your ML inference endpoint. No exploit sophistication required — the attack surface is any publicly exposed Gradio interface. Upgrade Gradio past the affected range (4.38.0–5.0.0-beta.2) immediately; if you cannot patch, block or rate-limit access to Gradio datetime endpoints at the WAF layer.

Risk Assessment

CVSS 7.5 (High) with low EPSS (0.78%) — not actively exploited in the wild as of disclosure, but trivially weaponizable. No authentication, no privileges, no user interaction required. The blast radius is availability only (no data exfiltration), but for AI teams running Gradio as a production inference UI or internal demo platform, a sustained attack renders the service completely unavailable. Risk is elevated for organizations exposing Gradio to the public internet without rate limiting or WAF controls.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio pip >= 4.38.0, <= 5.0.0-beta.2 No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 75% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade Gradio to a version beyond 5.0.0-beta.2; verify the fix for CVE-2024-10624 is included in the target version changelog.

  2. WORKAROUND (if patching is delayed): Remove or disable gr.Datetime components from production interfaces. Replace with a plain text input with server-side validation using a non-backtracking regex or datetime parsing library.

  3. WAF/RATE LIMITING: Implement request rate limiting on Gradio endpoints (e.g., nginx limit_req or Cloudflare rate limiting). Limit input field length at the reverse proxy layer.

  4. DETECTION

    Alert on sustained high CPU usage (>80% for >30s) in Gradio worker processes. Log and inspect incoming datetime field values for anomalous patterns (excessive whitespace, unusual character repetition).

  5. ISOLATION

    Run Gradio processes in containers with CPU limits (e.g., Docker --cpus=1) to contain blast radius.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system operation and monitoring
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place to sustain AI RMF plans
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-10624?

An unauthenticated attacker can send a single crafted HTTP request to any Gradio deployment using the gr.Datetime component and pin server CPU at 100%, taking down your ML inference endpoint. No exploit sophistication required — the attack surface is any publicly exposed Gradio interface. Upgrade Gradio past the affected range (4.38.0–5.0.0-beta.2) immediately; if you cannot patch, block or rate-limit access to Gradio datetime endpoints at the WAF layer.

Is CVE-2024-10624 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10624, increasing the risk of exploitation.

How to fix CVE-2024-10624?

1. PATCH: Upgrade Gradio to a version beyond 5.0.0-beta.2; verify the fix for CVE-2024-10624 is included in the target version changelog. 2. WORKAROUND (if patching is delayed): Remove or disable gr.Datetime components from production interfaces. Replace with a plain text input with server-side validation using a non-backtracking regex or datetime parsing library. 3. WAF/RATE LIMITING: Implement request rate limiting on Gradio endpoints (e.g., nginx limit_req or Cloudflare rate limiting). Limit input field length at the reverse proxy layer. 4. DETECTION: Alert on sustained high CPU usage (>80% for >30s) in Gradio worker processes. Log and inspect incoming datetime field values for anomalous patterns (excessive whitespace, unusual character repetition). 5. ISOLATION: Run Gradio processes in containers with CPU limits (e.g., Docker --cpus=1) to contain blast radius.

What systems are affected by CVE-2024-10624?

This vulnerability affects the following AI/ML architecture patterns: ML demo interfaces, model serving, AI prototyping platforms, HuggingFace Spaces deployments.

What is the CVSS score for CVE-2024-10624?

CVE-2024-10624 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.82%.

Technical Details

NVD Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.

Exploitation Scenario

An adversary targeting a competitor's publicly accessible ML demo built on Gradio identifies a gr.Datetime input field. They craft an HTTP POST request with a datetime value containing excessive whitespace padding designed to trigger catastrophic backtracking in Python's re engine against the pattern `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$`. A simple bash loop sending 10–20 concurrent requests pegs the Gradio Python process at 100% CPU. Because Gradio runs single-threaded by default, no other inference requests can be processed. The attacker sustains the attack with minimal resources (a single low-bandwidth connection suffices) while the victim's model serving endpoint is completely unavailable. For HuggingFace Spaces or public demo deployments, this requires zero reconnaissance beyond discovering the Gradio interface.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-400 Uncontrolled Resource Consumption Primary CWE-1333

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 20, 2025
Last Modified
October 15, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed