CVE-2024-2206 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any Gradio deployment on Hugging Face Spaces is exploitable without credentials — an attacker sends a crafted X-Direct-Url header to inject arbitrary URLs into the proxy allowlist, then pivots to internal endpoints including cloud metadata services. Patch immediately to commit 49d9c48 or disable the /proxy route if unused. Treat any unpatched Gradio instance as a potential pivot point into your ML hosting infrastructure.

Risk Assessment

Effective risk exceeds the CVSS 6.5 score for ML teams. Zero prerequisites (no auth, no user interaction, network-accessible) make exploitation trivial for any attacker who identifies a Gradio instance. In Hugging Face Spaces, SSRF can reach the instance metadata service (169.254.169.254), exposing cloud credentials and enabling lateral movement. The attack surface is large — Gradio is the dominant ML demo framework with tens of thousands of public deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 32% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A None

Recommended Action

5 steps

PATCH

Update to the version containing commit 49d9c48537aa706bf72628e3640389470138bdc6 — verify via pip show gradio.
WORKAROUND

If patching is blocked, disable or firewall the /proxy route at the reverse proxy layer.
NETWORK

Block egress to 169.254.169.254 (IMDSv1) from Gradio containers; enforce IMDSv2 with hop-limit=1 on AWS/GCP/Azure.
DETECTION

Alert on HTTP requests containing X-Direct-Url headers in your WAF or ingress logs.
AUDIT

Review all Gradio versions in use across ML serving infrastructure; treat any pre-patch version as compromised if internet-facing.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Inference API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

GOVERN 1.2 - Policies and procedures for AI risk governance MANAGE 2.2 - Mechanisms for vulnerability and incident response

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-2206?

Any Gradio deployment on Hugging Face Spaces is exploitable without credentials — an attacker sends a crafted X-Direct-Url header to inject arbitrary URLs into the proxy allowlist, then pivots to internal endpoints including cloud metadata services. Patch immediately to commit 49d9c48 or disable the /proxy route if unused. Treat any unpatched Gradio instance as a potential pivot point into your ML hosting infrastructure.

Is CVE-2024-2206 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-2206, increasing the risk of exploitation.

How to fix CVE-2024-2206?

1. PATCH: Update to the version containing commit 49d9c48537aa706bf72628e3640389470138bdc6 — verify via pip show gradio. 2. WORKAROUND: If patching is blocked, disable or firewall the /proxy route at the reverse proxy layer. 3. NETWORK: Block egress to 169.254.169.254 (IMDSv1) from Gradio containers; enforce IMDSv2 with hop-limit=1 on AWS/GCP/Azure. 4. DETECTION: Alert on HTTP requests containing X-Direct-Url headers in your WAF or ingress logs. 5. AUDIT: Review all Gradio versions in use across ML serving infrastructure; treat any pre-patch version as compromised if internet-facing.

What systems are affected by CVE-2024-2206?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo infrastructure, inference endpoints, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2024-2206?

CVE-2024-2206 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/config` routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the `build_proxy_request` function.

Exploitation Scenario

Attacker scans Hugging Face Spaces for Gradio instances (trivial via HF API). Sends GET / with header X-Direct-Url: http://169.254.169.254/latest/meta-data/iam/security-credentials/ — this injects the metadata URL into self.replica_urls. Follow-up request to /proxy retrieves live AWS IAM credentials. Attacker uses exfiltrated credentials to access S3 buckets containing training data, model weights, or downstream services. Full chain: unauthenticated HTTP request → cloud credential exfiltration → data breach or model IP theft.