AI Threat Alert

CVE-2024-1729: Gradio: timing attack enables auth bypass on ML UIs

UNKNOWN PoC AVAILABLE CISA: ATTEND
Published March 29, 2024
CISO Take

Gradio's built-in authentication uses non-constant-time string comparison, letting attackers infer passwords by measuring response times. Any internet-exposed Gradio instance using native username/password auth is at risk of credential theft and unauthorized model access. Patch immediately or move authentication to a reverse proxy — do not rely on Gradio's native auth for any production deployment.

What is the risk?

Medium risk with high exposure potential. Gradio is ubiquitous in enterprise ML demos, internal AI tooling, and PoC deployments — often secured only by its native auth. Timing attacks are well-understood, require no special privileges, and are fully scriptable. The primary constraint is network noise, which can be mitigated by averaging multiple measurements. No CVSS score is assigned, but exploitability is practically moderate given the large number of internet-exposed Gradio instances.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.5%
chance of exploitation in 30 days
Higher than 39% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

5 steps

  1. Patch: upgrade Gradio to a version including commit e329f1fd38935213fe0e73962e8cbd5d3af6e87b (replaces direct comparison with secrets.compare_digest).

  2. Interim workaround: place Gradio behind nginx/Caddy with HTTP Basic Auth or OAuth2 proxy — remove the auth= parameter from Gradio itself.

  3. Rate limiting: enforce aggressive login rate limits (5 attempts/minute/IP) via WAF or fail2ban.

  4. Detection: alert on >20 failed authentication attempts from a single IP within 60 seconds against Gradio endpoints.

  5. Audit: inventory all Gradio deployments in your environment and verify none are internet-facing without a hardened auth layer.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Framework Inference AML.T0006 AML.T0012 AML.T0040 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.1 - Information security measures for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems and minimize negative impacts
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1729?

Gradio's built-in authentication uses non-constant-time string comparison, letting attackers infer passwords by measuring response times. Any internet-exposed Gradio instance using native username/password auth is at risk of credential theft and unauthorized model access. Patch immediately or move authentication to a reverse proxy — do not rely on Gradio's native auth for any production deployment.

Is CVE-2024-1729 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1729, increasing the risk of exploitation.

How to fix CVE-2024-1729?

1. Patch: upgrade Gradio to a version including commit e329f1fd38935213fe0e73962e8cbd5d3af6e87b (replaces direct comparison with secrets.compare_digest). 2. Interim workaround: place Gradio behind nginx/Caddy with HTTP Basic Auth or OAuth2 proxy — remove the auth= parameter from Gradio itself. 3. Rate limiting: enforce aggressive login rate limits (5 attempts/minute/IP) via WAF or fail2ban. 4. Detection: alert on >20 failed authentication attempts from a single IP within 60 seconds against Gradio endpoints. 5. Audit: inventory all Gradio deployments in your environment and verify none are internet-facing without a hardened auth layer.

What systems are affected by CVE-2024-1729?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, AI web UIs, internal AI tooling, RAG pipelines.

What is the CVSS score for CVE-2024-1729?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingML demo platformsAI web UIsinternal AI toolingRAG pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0012 Valid Accounts
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.8.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be exploited to guess passwords based on response times. Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and gain unauthorized access.

Exploitation Scenario

An adversary discovers an internet-exposed Gradio endpoint hosting a proprietary LLM or CV model (trivial via Shodan or BinaryEdge with query filters for Gradio's default port and UI fingerprint). They write a Python script sending timed POST requests to the login endpoint with systematically varied passwords, measuring response latency averaged over 50+ requests per character position to overcome network jitter. Non-constant-time comparison leaks microsecond-scale timing differences, allowing character-by-character password recovery. Once authenticated, the attacker accesses the full model inference API — extracting model behavior via systematic probing, harvesting sensitive outputs if the model is connected to enterprise data, or injecting adversarial inputs to corrupt outputs seen by legitimate users.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

  • [Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
  • [Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.

References

Timeline

Published
March 29, 2024
Last Modified
July 30, 2025
First Seen
March 29, 2024

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed