AI Threat Alert AI Threat Alert

CVE-2024-1728: Gradio: path traversal leaks arbitrary files, potential RCE

HIGH PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published April 10, 2024
CISO Take

Any internet-exposed Gradio instance is vulnerable to unauthenticated file read — including SSH private keys, API tokens, and model credentials stored on the server. With zero prerequisites (no auth, no user interaction), this is trivially exploitable at scale against public Hugging Face Spaces and self-hosted ML demos. Patch immediately to 4.19.2+; if patching is not immediately possible, take public-facing Gradio instances offline or firewall them to known IPs.

Risk Assessment

HIGH. CVSS 7.5 understates operational risk for AI/ML teams. Gradio is the de-facto standard for ML model demos and internal tooling — nearly every data science team has at least one deployment. The attack requires no authentication and no user interaction, making automated scanning and mass exploitation trivial. The primary confidentiality impact (file read) creates a critical credential harvesting surface: SSH keys extracted from a Gradio server can pivot attackers into training infrastructure, model registries, and cloud environments. The RCE potential elevates this further if chained with other vulnerabilities.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
86.5%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 87%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

5 steps

  1. PATCH

    Upgrade to Gradio 4.19.2 or later (commit 16fbe9c). This is the only complete fix.

  2. IMMEDIATE WORKAROUND

    If patching is blocked, disable UploadButton components or restrict /queue/join endpoint to authenticated internal networks via WAF/reverse proxy rules.

  3. CREDENTIAL ROTATION

    Audit what secrets exist on servers running Gradio — rotate any SSH keys, API tokens, cloud credentials, and model registry tokens accessible to the Gradio process. Assume compromise for any public-facing instance running affected versions.

  4. DETECTION

    Search server logs for /queue/join requests containing path traversal sequences (../, %2e%2e, encoded variants). Monitor for unexpected file access patterns in process-level audit logs (auditd/falco).

  5. SCOPE

    Run pip show gradio across all environments; use SBOM tooling to identify transitive Gradio dependencies in larger applications.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Privacy Violation Framework API Inference AML.T0010.001 AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - Information security in supplier relationships A.9.2 - Protection of AI system resources
NIST AI RMF
GOVERN-6.2 - Risk from third-party AI components MANAGE-2.2 - Risk response and remediation
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-1728?

Any internet-exposed Gradio instance is vulnerable to unauthenticated file read — including SSH private keys, API tokens, and model credentials stored on the server. With zero prerequisites (no auth, no user interaction), this is trivially exploitable at scale against public Hugging Face Spaces and self-hosted ML demos. Patch immediately to 4.19.2+; if patching is not immediately possible, take public-facing Gradio instances offline or firewall them to known IPs.

Is CVE-2024-1728 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1728, increasing the risk of exploitation.

How to fix CVE-2024-1728?

1. PATCH: Upgrade to Gradio 4.19.2 or later (commit 16fbe9c). This is the only complete fix. 2. IMMEDIATE WORKAROUND: If patching is blocked, disable UploadButton components or restrict /queue/join endpoint to authenticated internal networks via WAF/reverse proxy rules. 3. CREDENTIAL ROTATION: Audit what secrets exist on servers running Gradio — rotate any SSH keys, API tokens, cloud credentials, and model registry tokens accessible to the Gradio process. Assume compromise for any public-facing instance running affected versions. 4. DETECTION: Search server logs for /queue/join requests containing path traversal sequences (../, %2e%2e, encoded variants). Monitor for unexpected file access patterns in process-level audit logs (auditd/falco). 5. SCOPE: Run `pip show gradio` across all environments; use SBOM tooling to identify transitive Gradio dependencies in larger applications.

What systems are affected by CVE-2024-1728?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo environments, public-facing AI applications, training pipeline management UIs, MLOps tooling.

What is the CVSS score for CVE-2024-1728?

CVE-2024-1728 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 86.51%.

Technical Details

NVD Description

gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.

Exploitation Scenario

An adversary scans Hugging Face Spaces or self-hosted AI demo servers for Gradio instances. Using a simple POST request to /queue/join with a crafted file path payload in the UploadButton data (e.g., ../../../../root/.ssh/id_rsa), the attacker retrieves the server's SSH private key without any authentication. With the key in hand, they SSH into the underlying VPS, gain access to the full training environment, exfiltrate proprietary model weights, inject backdoors into training pipelines, or pivot laterally to cloud accounts via stored AWS/GCP credentials. The entire chain from unauthenticated HTTP request to model theft takes under 5 minutes.

Weaknesses (CWE)

CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 10, 2024
Last Modified
July 30, 2025
First Seen
April 10, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-1728.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed