AI Threat Alert

CVE-2024-1561: Gradio: path traversal enables arbitrary file read

UNKNOWN ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published April 16, 2024
CISO Take

Any Gradio instance exposed to the internet — including HuggingFace Spaces — is vulnerable to unauthenticated full filesystem read via a single crafted HTTP request. The immediate danger is credential exfiltration: API keys, HuggingFace tokens, and cloud provider secrets stored in environment variables are all at risk. Patch to Gradio 4.13.0+ immediately and rotate all secrets on any host that ran an exposed Gradio app.

What is the risk?

CRITICAL for internet-facing deployments. Exploitation requires zero authentication and zero ML knowledge — a single POST to /component_server with controlled arguments is sufficient. The blast radius extends beyond the Gradio process: any file readable by the process user is extractable, including .env files, SSH keys, cloud credentials, and model configuration secrets. HuggingFace-hosted apps compound the risk at scale, as HF_TOKEN extraction grants full account takeover across all hosted models and datasets.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
9.2%
chance of exploitation in 30 days
Higher than 95% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

6 steps

  1. PATCH

    Upgrade Gradio to 4.13.0 or later — the fix restricts method invocation on /component_server.

  2. NETWORK

    Remove share=True from all production or semi-public Gradio instances; restrict port access via firewall.

  3. ROTATE

    Immediately rotate any credentials (HuggingFace tokens, OpenAI keys, cloud creds) stored as env vars on hosts running affected Gradio versions.

  4. AUDIT

    Search codebase and deployment configs for share=True usage; inventory all Gradio-based apps exposed beyond localhost.

  5. DETECT

    Alert on POST requests to /component_server with body parameters containing path separators (../, /, etc.) in NGINX/application logs.

  6. MITIGATE (if unpatched): Run Gradio in a sandboxed container with minimal filesystem access and no cloud credentials mounted.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework API AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Protection of AI system resources
NIST AI RMF
MANAGE-2.4 - Residual risks are managed
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1561?

Any Gradio instance exposed to the internet — including HuggingFace Spaces — is vulnerable to unauthenticated full filesystem read via a single crafted HTTP request. The immediate danger is credential exfiltration: API keys, HuggingFace tokens, and cloud provider secrets stored in environment variables are all at risk. Patch to Gradio 4.13.0+ immediately and rotate all secrets on any host that ran an exposed Gradio app.

Is CVE-2024-1561 actively exploited?

Yes, CVE-2024-1561 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2024-1561?

1. PATCH: Upgrade Gradio to 4.13.0 or later — the fix restricts method invocation on /component_server. 2. NETWORK: Remove share=True from all production or semi-public Gradio instances; restrict port access via firewall. 3. ROTATE: Immediately rotate any credentials (HuggingFace tokens, OpenAI keys, cloud creds) stored as env vars on hosts running affected Gradio versions. 4. AUDIT: Search codebase and deployment configs for share=True usage; inventory all Gradio-based apps exposed beyond localhost. 5. DETECT: Alert on POST requests to /component_server with body parameters containing path separators (../, /, etc.) in NGINX/application logs. 6. MITIGATE (if unpatched): Run Gradio in a sandboxed container with minimal filesystem access and no cloud credentials mounted.

What systems are affected by CVE-2024-1561?

This vulnerability affects the following AI/ML architecture patterns: ML demo interfaces, HuggingFace Spaces, model serving, training pipelines, agent frameworks.

What is the CVSS score for CVE-2024-1561?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

ML demo interfacesHuggingFace Spacesmodel servingtraining pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.

Exploitation Scenario

Attacker scans Shodan/Censys for exposed Gradio apps or follows a share=True link shared in a public GitHub repo or Slack. They POST to /component_server with method move_resource_to_block_cache and a path argument pointing to /proc/self/environ or ~/.env. Gradio copies the file to its temp cache directory and returns it on the next request. The attacker extracts HF_TOKEN, OPENAI_API_KEY, and AWS credentials in under 60 seconds. On HuggingFace Spaces, this translates to full HF account takeover — the attacker can download all private models, push poisoned model weights, or pivot to other services using the extracted credentials. No specialized knowledge required; a simple curl command suffices.

Weaknesses (CWE)

CWE-29 Path Traversal: '\..\filename'

CWE-29 — Path Traversal: '\..\filename': The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Source: MITRE CWE corpus.

References

Timeline

Published
April 16, 2024
Last Modified
July 30, 2025
First Seen
April 16, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-1561.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2024-4253 9.1

Gradio: CI/CD command injection enables secrets exfiltration

Same package: gradio
Back to Threat Feed