CVE-2024-1729 — UNKNOWN AI Security Vulnerability

CISO Take

Gradio's built-in authentication uses non-constant-time string comparison, letting attackers infer passwords by measuring response times. Any internet-exposed Gradio instance using native username/password auth is at risk of credential theft and unauthorized model access. Patch immediately or move authentication to a reverse proxy — do not rely on Gradio's native auth for any production deployment.

Risk Assessment

Medium risk with high exposure potential. Gradio is ubiquitous in enterprise ML demos, internal AI tooling, and PoC deployments — often secured only by its native auth. Timing attacks are well-understood, require no special privileges, and are fully scriptable. The primary constraint is network noise, which can be mitigated by averaging multiple measurements. No CVSS score is assigned, but exploitability is practically moderate given the large number of internet-exposed Gradio instances.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 24% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

Patch: upgrade Gradio to a version including commit e329f1fd38935213fe0e73962e8cbd5d3af6e87b (replaces direct comparison with secrets.compare_digest).
Interim workaround: place Gradio behind nginx/Caddy with HTTP Basic Auth or OAuth2 proxy — remove the auth= parameter from Gradio itself.
Rate limiting: enforce aggressive login rate limits (5 attempts/minute/IP) via WAF or fail2ban.
Detection: alert on >20 failed authentication attempts from a single IP within 60 seconds against Gradio endpoints.
Audit: inventory all Gradio deployments in your environment and verify none are internet-facing without a hardened auth layer.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Framework Inference AML.T0006 - Active Scanning AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.1 - Information security measures for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems and minimize negative impacts

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1729?

Gradio's built-in authentication uses non-constant-time string comparison, letting attackers infer passwords by measuring response times. Any internet-exposed Gradio instance using native username/password auth is at risk of credential theft and unauthorized model access. Patch immediately or move authentication to a reverse proxy — do not rely on Gradio's native auth for any production deployment.

Is CVE-2024-1729 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1729, increasing the risk of exploitation.

How to fix CVE-2024-1729?

1. Patch: upgrade Gradio to a version including commit e329f1fd38935213fe0e73962e8cbd5d3af6e87b (replaces direct comparison with secrets.compare_digest). 2. Interim workaround: place Gradio behind nginx/Caddy with HTTP Basic Auth or OAuth2 proxy — remove the auth= parameter from Gradio itself. 3. Rate limiting: enforce aggressive login rate limits (5 attempts/minute/IP) via WAF or fail2ban. 4. Detection: alert on >20 failed authentication attempts from a single IP within 60 seconds against Gradio endpoints. 5. Audit: inventory all Gradio deployments in your environment and verify none are internet-facing without a hardened auth layer.

What systems are affected by CVE-2024-1729?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, AI web UIs, internal AI tooling, RAG pipelines.

What is the CVSS score for CVE-2024-1729?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

Exploitation Scenario

An adversary discovers an internet-exposed Gradio endpoint hosting a proprietary LLM or CV model (trivial via Shodan or BinaryEdge with query filters for Gradio's default port and UI fingerprint). They write a Python script sending timed POST requests to the login endpoint with systematically varied passwords, measuring response latency averaged over 50+ requests per character position to overcome network jitter. Non-constant-time comparison leaks microsecond-scale timing differences, allowing character-by-character password recovery. Once authenticated, the attacker accesses the full model inference API — extracting model behavior via systematic probing, harvesting sensitive outputs if the model is connected to enterprise data, or injecting adversarial inputs to corrupt outputs seen by legitimate users.