AI Threat Alert

CVE-2024-2206: Gradio: SSRF exposes internal HuggingFace endpoints

MEDIUM PoC AVAILABLE CISA: TRACK*
Published March 27, 2024
CISO Take

Any Gradio deployment on Hugging Face Spaces is exploitable without credentials — an attacker sends a crafted X-Direct-Url header to inject arbitrary URLs into the proxy allowlist, then pivots to internal endpoints including cloud metadata services. Patch immediately to commit 49d9c48 or disable the /proxy route if unused. Treat any unpatched Gradio instance as a potential pivot point into your ML hosting infrastructure.

What is the risk?

Effective risk exceeds the CVSS 6.5 score for ML teams. Zero prerequisites (no auth, no user interaction, network-accessible) make exploitation trivial for any attacker who identifies a Gradio instance. In Hugging Face Spaces, SSRF can reach the instance metadata service (169.254.169.254), exposing cloud credentials and enabling lateral movement. The attack surface is large — Gradio is the dominant ML demo framework with tens of thousands of public deployments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 34% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I Low
A None

What should I do?

5 steps

  1. PATCH

    Update to the version containing commit 49d9c48537aa706bf72628e3640389470138bdc6 — verify via pip show gradio.

  2. WORKAROUND

    If patching is blocked, disable or firewall the /proxy route at the reverse proxy layer.

  3. NETWORK

    Block egress to 169.254.169.254 (IMDSv1) from Gradio containers; enforce IMDSv2 with hop-limit=1 on AWS/GCP/Azure.

  4. DETECTION

    Alert on HTTP requests containing X-Direct-Url headers in your WAF or ingress logs.

  5. AUDIT

    Review all Gradio versions in use across ML serving infrastructure; treat any pre-patch version as compromised if internet-facing.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Inference API AML.T0006 AML.T0025 AML.T0040 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation
NIST AI RMF
GOVERN 1.2 - Policies and procedures for AI risk governance MANAGE 2.2 - Mechanisms for vulnerability and incident response
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-2206?

Any Gradio deployment on Hugging Face Spaces is exploitable without credentials — an attacker sends a crafted X-Direct-Url header to inject arbitrary URLs into the proxy allowlist, then pivots to internal endpoints including cloud metadata services. Patch immediately to commit 49d9c48 or disable the /proxy route if unused. Treat any unpatched Gradio instance as a potential pivot point into your ML hosting infrastructure.

Is CVE-2024-2206 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-2206, increasing the risk of exploitation.

How to fix CVE-2024-2206?

1. PATCH: Update to the version containing commit 49d9c48537aa706bf72628e3640389470138bdc6 — verify via pip show gradio. 2. WORKAROUND: If patching is blocked, disable or firewall the /proxy route at the reverse proxy layer. 3. NETWORK: Block egress to 169.254.169.254 (IMDSv1) from Gradio containers; enforce IMDSv2 with hop-limit=1 on AWS/GCP/Azure. 4. DETECTION: Alert on HTTP requests containing X-Direct-Url headers in your WAF or ingress logs. 5. AUDIT: Review all Gradio versions in use across ML serving infrastructure; treat any pre-patch version as compromised if internet-facing.

What systems are affected by CVE-2024-2206?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo infrastructure, inference endpoints, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2024-2206?

CVE-2024-2206 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.42%.

What is the AI security impact?

Affected AI Architectures

model servingML demo infrastructureinference endpointsagent frameworksRAG pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 1.2, MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/config` routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the `build_proxy_request` function.

Exploitation Scenario

Attacker scans Hugging Face Spaces for Gradio instances (trivial via HF API). Sends GET / with header X-Direct-Url: http://169.254.169.254/latest/meta-data/iam/security-credentials/ — this injects the metadata URL into self.replica_urls. Follow-up request to /proxy retrieves live AWS IAM credentials. Attacker uses exfiltrated credentials to access S3 buckets containing training data, model weights, or downstream services. Full chain: unauthenticated HTTP request → cloud credential exfiltration → data breach or model IP theft.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

Timeline

Published
March 27, 2024
Last Modified
July 29, 2025
First Seen
March 27, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed