CVE-2024-1183 — UNKNOWN AI Security Vulnerability

CISO Take

Gradio deployments used for ML model demos and inference UIs are vulnerable to unauthenticated SSRF, allowing attackers to map internal network topology by manipulating a single GET parameter. ML environments typically have privileged internal network access to databases, model servers, and cloud metadata endpoints — making this recon capability particularly dangerous. Patch immediately to the fixed commit and implement egress controls to prevent Gradio processes from reaching internal RFC 1918 address ranges.

Risk Assessment

HIGH risk for organizations with internet-exposed Gradio instances. The exploit is trivial — no authentication, no special knowledge, just GET request manipulation — and ML environments typically run with broad internal network access. No CVSS score is assigned but exploitability is near-certain and impact includes full internal service enumeration. Cloud-deployed ML stacks expose additional risk via metadata endpoint access (169.254.169.254), potentially leading to credential theft and privilege escalation beyond initial recon.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

55.0%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 55%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

Apply the patch from commit 2ad3d9e7ec6c8eeea59774265b44f11df7394bb4 or upgrade to a patched Gradio release.
If immediate patching is blocked, restrict Gradio to authenticated-only access and place it behind a WAF with SSRF rules.
Implement egress filtering to block Gradio processes from initiating connections to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints.
Audit firewall rules to ensure Gradio hosts are network-segmented from production model infrastructure and databases.
Monitor application logs for anomalous GET requests with IP addresses or internal hostnames in the file parameter.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Framework Inference AML.T0006 - Active Scanning AML.T0049 - Exploit Public-Facing Application AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.1 - Security of AI systems

NIST AI RMF

MANAGE 2.4 - Residual risks from AI system operation and use

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1183?

Gradio deployments used for ML model demos and inference UIs are vulnerable to unauthenticated SSRF, allowing attackers to map internal network topology by manipulating a single GET parameter. ML environments typically have privileged internal network access to databases, model servers, and cloud metadata endpoints — making this recon capability particularly dangerous. Patch immediately to the fixed commit and implement egress controls to prevent Gradio processes from reaching internal RFC 1918 address ranges.

Is CVE-2024-1183 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1183, increasing the risk of exploitation.

How to fix CVE-2024-1183?

1. Apply the patch from commit 2ad3d9e7ec6c8eeea59774265b44f11df7394bb4 or upgrade to a patched Gradio release. 2. If immediate patching is blocked, restrict Gradio to authenticated-only access and place it behind a WAF with SSRF rules. 3. Implement egress filtering to block Gradio processes from initiating connections to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints. 4. Audit firewall rules to ensure Gradio hosts are network-segmented from production model infrastructure and databases. 5. Monitor application logs for anomalous GET requests with IP addresses or internal hostnames in the file parameter.

What systems are affected by CVE-2024-1183?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo infrastructure, AI development environments, internal ML APIs, Kubernetes ML clusters.

What is the CVSS score for CVE-2024-1183?

No CVSS score has been assigned yet.

Technical Details

NVD Description

An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.

Exploitation Scenario

An attacker targeting an ML team sends crafted GET requests to a public-facing Gradio demo (e.g., /file=http://192.168.1.100:6379). By observing whether the response contains a Location redirect header (port open) versus a 'File not allowed' error (port closed), the attacker iterates across internal IP ranges and common ML service ports — Redis (6379), MLflow (5000), Jupyter (8888), Kubeflow (8080), internal model APIs. Within minutes they build a complete internal service map. From there, unauthenticated services (common in internal ML tooling) become direct targets for follow-on exploitation.