AI Threat Alert AI Threat Alert

CVE-2024-1561: Gradio: path traversal enables arbitrary file read

UNKNOWN ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published April 16, 2024
CISO Take

Any Gradio instance exposed to the internet — including HuggingFace Spaces — is vulnerable to unauthenticated full filesystem read via a single crafted HTTP request. The immediate danger is credential exfiltration: API keys, HuggingFace tokens, and cloud provider secrets stored in environment variables are all at risk. Patch to Gradio 4.13.0+ immediately and rotate all secrets on any host that ran an exposed Gradio app.

Risk Assessment

CRITICAL for internet-facing deployments. Exploitation requires zero authentication and zero ML knowledge — a single POST to /component_server with controlled arguments is sufficient. The blast radius extends beyond the Gradio process: any file readable by the process user is extractable, including .env files, SSH keys, cloud credentials, and model configuration secrets. HuggingFace-hosted apps compound the risk at scale, as HF_TOKEN extraction grants full account takeover across all hosted models and datasets.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
93.4%
chance of exploitation in 30 days
Higher than 100% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 93%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

  1. PATCH

    Upgrade Gradio to 4.13.0 or later — the fix restricts method invocation on /component_server.

  2. NETWORK

    Remove share=True from all production or semi-public Gradio instances; restrict port access via firewall.

  3. ROTATE

    Immediately rotate any credentials (HuggingFace tokens, OpenAI keys, cloud creds) stored as env vars on hosts running affected Gradio versions.

  4. AUDIT

    Search codebase and deployment configs for share=True usage; inventory all Gradio-based apps exposed beyond localhost.

  5. DETECT

    Alert on POST requests to /component_server with body parameters containing path separators (../, /, etc.) in NGINX/application logs.

  6. MITIGATE (if unpatched): Run Gradio in a sandboxed container with minimal filesystem access and no cloud credentials mounted.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework API AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Protection of AI system resources
NIST AI RMF
MANAGE-2.4 - Residual risks are managed
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1561?

Any Gradio instance exposed to the internet — including HuggingFace Spaces — is vulnerable to unauthenticated full filesystem read via a single crafted HTTP request. The immediate danger is credential exfiltration: API keys, HuggingFace tokens, and cloud provider secrets stored in environment variables are all at risk. Patch to Gradio 4.13.0+ immediately and rotate all secrets on any host that ran an exposed Gradio app.

Is CVE-2024-1561 actively exploited?

Yes, CVE-2024-1561 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2024-1561?

1. PATCH: Upgrade Gradio to 4.13.0 or later — the fix restricts method invocation on /component_server. 2. NETWORK: Remove share=True from all production or semi-public Gradio instances; restrict port access via firewall. 3. ROTATE: Immediately rotate any credentials (HuggingFace tokens, OpenAI keys, cloud creds) stored as env vars on hosts running affected Gradio versions. 4. AUDIT: Search codebase and deployment configs for share=True usage; inventory all Gradio-based apps exposed beyond localhost. 5. DETECT: Alert on POST requests to /component_server with body parameters containing path separators (../, /, etc.) in NGINX/application logs. 6. MITIGATE (if unpatched): Run Gradio in a sandboxed container with minimal filesystem access and no cloud credentials mounted.

What systems are affected by CVE-2024-1561?

This vulnerability affects the following AI/ML architecture patterns: ML demo interfaces, HuggingFace Spaces, model serving, training pipelines, agent frameworks.

What is the CVSS score for CVE-2024-1561?

No CVSS score has been assigned yet.

Technical Details

NVD Description

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.

Exploitation Scenario

Attacker scans Shodan/Censys for exposed Gradio apps or follows a share=True link shared in a public GitHub repo or Slack. They POST to /component_server with method move_resource_to_block_cache and a path argument pointing to /proc/self/environ or ~/.env. Gradio copies the file to its temp cache directory and returns it on the next request. The attacker extracts HF_TOKEN, OPENAI_API_KEY, and AWS credentials in under 60 seconds. On HuggingFace Spaces, this translates to full HF account takeover — the attacker can download all private models, push poisoned model weights, or pivot to other services using the extracted credentials. No specialized knowledge required; a simple curl command suffices.

Weaknesses (CWE)

CWE-29

References

Timeline

Published
April 16, 2024
Last Modified
July 30, 2025
First Seen
April 16, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-1561.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed