CVE-2024-12065: LLaVA: path traversal allows arbitrary file read

UNKNOWN PoC AVAILABLE CISA: TRACK*

Published March 20, 2025

CISO Take

Any deployment of LLaVA with a network-accessible Gradio interface is exposed to unauthenticated file read of any system file. Gradio interfaces default to no authentication and are frequently left open — this makes API keys, model configs, and credentials trivially exfiltrable. Immediately firewall the Gradio port (default 7860) to localhost only and audit for leaked secrets.

What is the risk?

HIGH effective risk despite missing CVSS. CWE-22 path traversal enabling full filesystem read is severe. The attack requires no authentication and no AI/ML knowledge — standard HTTP requests with traversal sequences suffice. Gradio-based ML tools are routinely deployed with public interfaces in research and production environments, dramatically widening exposure. The published PoC on huntr lowers the exploitation bar to trivial.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
llava	—	—	No patch

Do you use llava? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.9%

chance of exploitation in 30 days

Higher than 54% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

6 steps

Immediate: Restrict Gradio to localhost by launching with server_name='127.0.0.1' or firewalling port 7860.
Patch: Upgrade to a commit beyond c121f04 — verify the fix addresses path traversal in file serving endpoints.
Rotate any secrets accessible from the LLaVA working directory or parent paths.
Detection: Search server logs for requests containing ../, %2e%2e, or /etc/, /root/, /home/ path patterns.
If public exposure is required, place Gradio behind an authenticated reverse proxy (nginx + basic auth minimum).
Audit all Gradio-based tools in your environment — this class of vulnerability is common across Gradio-fronted models.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework Inference AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Information security in AI system design A.8.2 - AI system security

NIST AI RMF

GV-1.4 - Organizational risk tolerance for AI risk MS-2.6 - Risks or side-effects of AI system vulnerabilities are monitored

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-12065?

Is CVE-2024-12065 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12065, increasing the risk of exploitation.

How to fix CVE-2024-12065?

1. Immediate: Restrict Gradio to localhost by launching with `server_name='127.0.0.1'` or firewalling port 7860. 2. Patch: Upgrade to a commit beyond c121f04 — verify the fix addresses path traversal in file serving endpoints. 3. Rotate any secrets accessible from the LLaVA working directory or parent paths. 4. Detection: Search server logs for requests containing `../`, `%2e%2e`, or `/etc/`, `/root/`, `/home/` path patterns. 5. If public exposure is required, place Gradio behind an authenticated reverse proxy (nginx + basic auth minimum). 6. Audit all Gradio-based tools in your environment — this class of vulnerability is common across Gradio-fronted models.

What systems are affected by CVE-2024-12065?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML development environments, multimodal AI systems, RAG pipelines, AI research infrastructure.

What is the CVSS score for CVE-2024-12065?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingML development environmentsmultimodal AI systemsRAG pipelinesAI research infrastructure

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.1.3, A.8.2

NIST AI RMF: GV-1.4, MS-2.6

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component.

Exploitation Scenario

An adversary discovers a LLaVA instance exposed on port 7860 via Shodan or internal network scan. They send a crafted POST request to the Gradio file-handling API endpoint with a path traversal payload (e.g., `../../../../root/.ssh/id_rsa` or `../../../../etc/passwd`). Multiple sequential requests allow enumeration of the full filesystem. The attacker extracts `.env` files containing Hugging Face tokens, OpenAI API keys, and database credentials — pivoting from a research demo to full cloud account takeover with zero AI/ML expertise required.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.