CVE-2024-1727 — UNKNOWN AI Security Vulnerability

CISO Take

Teams running Gradio locally for ML demos or model prototyping are exposed to denial-of-service via disk exhaustion if a researcher visits a malicious webpage. Patch to the fixed commit immediately and restrict Gradio server binding to localhost-only with no external network exposure. Risk is highest in shared ML dev environments where disk exhaustion can disrupt CI/CD pipelines and active training jobs.

Risk Assessment

Medium risk for ML development environments. The CSRF exploit is trivial—no AI knowledge required—but impact is bounded to local or intranet-accessible Gradio instances. In shared ML infrastructure such as JupyterHub or team dev servers, the blast radius expands significantly as disk exhaustion can halt multiple users and running workloads simultaneously. No active exploitation reported and no CISA KEV listing, but the attack surface is broad given Gradio's widespread adoption in the ML community.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

Patch: update to commit 84802ee6a4806c25287344dce581f9548a99834a or the corresponding patched Gradio release.
Restrict binding: launch Gradio with --server_name 127.0.0.1 to prevent any network access beyond localhost.
Add upload rate limiting and maximum file size caps at the reverse proxy or application level.
Monitor disk usage on ML dev servers with alerting on anomalous rapid consumption in upload or temp directories.
Audit firewall rules to ensure no Gradio ports (default 7860) are inadvertently exposed. Detection: watch for high-frequency POST requests to /upload endpoints from unexpected origins.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Auth Bypass Framework AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system security

NIST AI RMF

MS-2.5 - Risk Response

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-1727?

Teams running Gradio locally for ML demos or model prototyping are exposed to denial-of-service via disk exhaustion if a researcher visits a malicious webpage. Patch to the fixed commit immediately and restrict Gradio server binding to localhost-only with no external network exposure. Risk is highest in shared ML dev environments where disk exhaustion can disrupt CI/CD pipelines and active training jobs.

Is CVE-2024-1727 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1727, increasing the risk of exploitation.

How to fix CVE-2024-1727?

1. Patch: update to commit 84802ee6a4806c25287344dce581f9548a99834a or the corresponding patched Gradio release. 2. Restrict binding: launch Gradio with --server_name 127.0.0.1 to prevent any network access beyond localhost. 3. Add upload rate limiting and maximum file size caps at the reverse proxy or application level. 4. Monitor disk usage on ML dev servers with alerting on anomalous rapid consumption in upload or temp directories. 5. Audit firewall rules to ensure no Gradio ports (default 7860) are inadvertently exposed. Detection: watch for high-frequency POST requests to /upload endpoints from unexpected origins.

What systems are affected by CVE-2024-1727?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, model demo/prototyping, local model serving.

What is the CVSS score for CVE-2024-1727?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.

Exploitation Scenario

An attacker hosts a malicious HTML page containing JavaScript that silently fires multiple large file upload POST requests to http://localhost:7860/upload—Gradio's default endpoint—the moment a victim visits the page. No authentication is required due to the absent CSRF token validation. The victim, likely an ML engineer with a local Gradio demo running, has their disk progressively filled until the system becomes unresponsive, interrupting active model training, corrupting in-progress experiments, or crashing shared infrastructure. The entire attack is invisible to the victim and requires only one page visit.