CVE-2024-1728: Gradio: path traversal leaks arbitrary files, potential RCE

HIGH PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*

Published April 10, 2024

CISO Take

Any internet-exposed Gradio instance is vulnerable to unauthenticated file read — including SSH private keys, API tokens, and model credentials stored on the server. With zero prerequisites (no auth, no user interaction), this is trivially exploitable at scale against public Hugging Face Spaces and self-hosted ML demos. Patch immediately to 4.19.2+; if patching is not immediately possible, take public-facing Gradio instances offline or firewall them to known IPs.

What is the risk?

HIGH. CVSS 7.5 understates operational risk for AI/ML teams. Gradio is the de-facto standard for ML model demos and internal tooling — nearly every data science team has at least one deployment. The attack requires no authentication and no user interaction, making automated scanning and mass exploitation trivial. The primary confidentiality impact (file read) creates a critical credential harvesting surface: SSH keys extracted from a Gradio server can pivot attackers into training infrastructure, model registries, and cloud environments. The RCE potential elevates this further if chained with other vulnerabilities.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

85.4%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 85%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade to Gradio 4.19.2 or later (commit 16fbe9c). This is the only complete fix.
IMMEDIATE WORKAROUND

If patching is blocked, disable UploadButton components or restrict /queue/join endpoint to authenticated internal networks via WAF/reverse proxy rules.
CREDENTIAL ROTATION

Audit what secrets exist on servers running Gradio — rotate any SSH keys, API tokens, cloud credentials, and model registry tokens accessible to the Gradio process. Assume compromise for any public-facing instance running affected versions.
DETECTION

Search server logs for /queue/join requests containing path traversal sequences (../, %2e%2e, encoded variants). Monitor for unexpected file access patterns in process-level audit logs (auditd/falco).
SCOPE

Run pip show gradio across all environments; use SBOM tooling to identify transitive Gradio dependencies in larger applications.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Privacy Violation Framework API Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security in supplier relationships A.9.2 - Protection of AI system resources

NIST AI RMF

GOVERN-6.2 - Risk from third-party AI components MANAGE-2.2 - Risk response and remediation

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-1728?

Is CVE-2024-1728 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1728, increasing the risk of exploitation.

How to fix CVE-2024-1728?

1. PATCH: Upgrade to Gradio 4.19.2 or later (commit 16fbe9c). This is the only complete fix. 2. IMMEDIATE WORKAROUND: If patching is blocked, disable UploadButton components or restrict /queue/join endpoint to authenticated internal networks via WAF/reverse proxy rules. 3. CREDENTIAL ROTATION: Audit what secrets exist on servers running Gradio — rotate any SSH keys, API tokens, cloud credentials, and model registry tokens accessible to the Gradio process. Assume compromise for any public-facing instance running affected versions. 4. DETECTION: Search server logs for /queue/join requests containing path traversal sequences (../, %2e%2e, encoded variants). Monitor for unexpected file access patterns in process-level audit logs (auditd/falco). 5. SCOPE: Run `pip show gradio` across all environments; use SBOM tooling to identify transitive Gradio dependencies in larger applications.

What systems are affected by CVE-2024-1728?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo environments, public-facing AI applications, training pipeline management UIs, MLOps tooling.

What is the CVSS score for CVE-2024-1728?

CVE-2024-1728 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 85.39%.

What is the AI security impact?

Affected AI Architectures

model servingML demo environmentspublic-facing AI applicationstraining pipeline management UIsMLOps tooling

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.2, A.9.2

NIST AI RMF: GOVERN-6.2, MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.

Exploitation Scenario

An adversary scans Hugging Face Spaces or self-hosted AI demo servers for Gradio instances. Using a simple POST request to /queue/join with a crafted file path payload in the UploadButton data (e.g., ../../../../root/.ssh/id_rsa), the attacker retrieves the server's SSH private key without any authentication. With the key in hand, they SSH into the underlying VPS, gain access to the full training environment, exfiltrate proprietary model weights, inject backdoors into training pipelines, or pivot laterally to cloud accounts via stored AWS/GCP credentials. The entire chain from unauthenticated HTTP request to model theft takes under 5 minutes.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.