AI Threat Alert AI Threat Alert

CVE-2024-12065: LLaVA: path traversal allows arbitrary file read

UNKNOWN PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

Any deployment of LLaVA with a network-accessible Gradio interface is exposed to unauthenticated file read of any system file. Gradio interfaces default to no authentication and are frequently left open — this makes API keys, model configs, and credentials trivially exfiltrable. Immediately firewall the Gradio port (default 7860) to localhost only and audit for leaked secrets.

Risk Assessment

HIGH effective risk despite missing CVSS. CWE-22 path traversal enabling full filesystem read is severe. The attack requires no authentication and no AI/ML knowledge — standard HTTP requests with traversal sequences suffice. Gradio-based ML tools are routinely deployed with public interfaces in research and production environments, dramatically widening exposure. The published PoC on huntr lowers the exploitation bar to trivial.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llava No patch

Do you use llava? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.6%
chance of exploitation in 30 days
Higher than 69% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

  1. Immediate: Restrict Gradio to localhost by launching with server_name='127.0.0.1' or firewalling port 7860.

  2. Patch: Upgrade to a commit beyond c121f04 — verify the fix addresses path traversal in file serving endpoints.

  3. Rotate any secrets accessible from the LLaVA working directory or parent paths.

  4. Detection: Search server logs for requests containing ../, %2e%2e, or /etc/, /root/, /home/ path patterns.

  5. If public exposure is required, place Gradio behind an authenticated reverse proxy (nginx + basic auth minimum).

  6. Audit all Gradio-based tools in your environment — this class of vulnerability is common across Gradio-fronted models.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework Inference AML.T0025 AML.T0035 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.3 - Information security in AI system design A.8.2 - AI system security
NIST AI RMF
GV-1.4 - Organizational risk tolerance for AI risk MS-2.6 - Risks or side-effects of AI system vulnerabilities are monitored
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-12065?

Any deployment of LLaVA with a network-accessible Gradio interface is exposed to unauthenticated file read of any system file. Gradio interfaces default to no authentication and are frequently left open — this makes API keys, model configs, and credentials trivially exfiltrable. Immediately firewall the Gradio port (default 7860) to localhost only and audit for leaked secrets.

Is CVE-2024-12065 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12065, increasing the risk of exploitation.

How to fix CVE-2024-12065?

1. Immediate: Restrict Gradio to localhost by launching with `server_name='127.0.0.1'` or firewalling port 7860. 2. Patch: Upgrade to a commit beyond c121f04 — verify the fix addresses path traversal in file serving endpoints. 3. Rotate any secrets accessible from the LLaVA working directory or parent paths. 4. Detection: Search server logs for requests containing `../`, `%2e%2e`, or `/etc/`, `/root/`, `/home/` path patterns. 5. If public exposure is required, place Gradio behind an authenticated reverse proxy (nginx + basic auth minimum). 6. Audit all Gradio-based tools in your environment — this class of vulnerability is common across Gradio-fronted models.

What systems are affected by CVE-2024-12065?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, multimodal AI systems, RAG pipelines, AI research infrastructure.

What is the CVSS score for CVE-2024-12065?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component.

Exploitation Scenario

An adversary discovers a LLaVA instance exposed on port 7860 via Shodan or internal network scan. They send a crafted POST request to the Gradio file-handling API endpoint with a path traversal payload (e.g., `../../../../root/.ssh/id_rsa` or `../../../../etc/passwd`). Multiple sequential requests allow enumeration of the full filesystem. The attacker extracts `.env` files containing Hugging Face tokens, OpenAI API keys, and database credentials — pivoting from a research demo to full cloud account takeover with zero AI/ML expertise required.

Weaknesses (CWE)

CWE-22

References

Timeline

Published
March 20, 2025
Last Modified
October 21, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed