CVE-2024-39236 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Gradio v4.36.1 contains a code injection flaw in component_meta.py triggerable via crafted inputs — CVSS 9.8 but vendor disputes severity, asserting the attack path requires self-targeting (attacker controls their own instance). Risk is real for shared/multi-tenant Gradio deployments where untrusted users submit inputs to a server others depend on. Audit all internet-exposed Gradio instances immediately and upgrade beyond v4.36.1 if a patch exists, or restrict access to trusted users only.

Risk Assessment

CVSS 9.8 overstates risk for typical single-user local deployments — vendor's dispute is valid in that context. However, shared Gradio deployments (internal AI demo platforms, multi-user ML prototyping environments, public-facing model demos) present genuine server-side code execution risk if untrusted users can submit inputs. Attack complexity is low and no authentication is required per CVSS vector, making internet-exposed shared instances a critical exposure. Exploitability is HIGH for shared deployments, LOW for single-user local setups.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

1.9%

chance of exploitation in 30 days

Higher than 83% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Inventory all Gradio deployments — identify version and exposure (local vs shared vs public).
Upgrade Gradio to latest version; check GitHub advisory GHSA-9v2f-6vcg-3hgv for patched version.
If upgrade is not immediately possible: restrict Gradio access to authenticated, trusted users only — add network controls (VPN, IP allowlist) in front of any shared instance.
Disable public-facing Gradio demos running v4.36.1 until patched.
Detection: monitor for anomalous subprocess spawning or file writes from the Gradio process; review component_meta.py inputs in application logs for eval/exec patterns.
Review Hugging Face Spaces deployments if using this version.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.6.2.5 - Security of AI system components

NIST AI RMF

GOVERN-6.2 - Organizational teams are committed to a culture that considers and communicates AI risk MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2024-39236?

Gradio v4.36.1 contains a code injection flaw in component_meta.py triggerable via crafted inputs — CVSS 9.8 but vendor disputes severity, asserting the attack path requires self-targeting (attacker controls their own instance). Risk is real for shared/multi-tenant Gradio deployments where untrusted users submit inputs to a server others depend on. Audit all internet-exposed Gradio instances immediately and upgrade beyond v4.36.1 if a patch exists, or restrict access to trusted users only.

Is CVE-2024-39236 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39236, increasing the risk of exploitation.

How to fix CVE-2024-39236?

1. Inventory all Gradio deployments — identify version and exposure (local vs shared vs public). 2. Upgrade Gradio to latest version; check GitHub advisory GHSA-9v2f-6vcg-3hgv for patched version. 3. If upgrade is not immediately possible: restrict Gradio access to authenticated, trusted users only — add network controls (VPN, IP allowlist) in front of any shared instance. 4. Disable public-facing Gradio demos running v4.36.1 until patched. 5. Detection: monitor for anomalous subprocess spawning or file writes from the Gradio process; review component_meta.py inputs in application logs for eval/exec patterns. 6. Review Hugging Face Spaces deployments if using this version.

What systems are affected by CVE-2024-39236?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, AI prototyping environments, internal AI tooling.

What is the CVSS score for CVE-2024-39236?

CVE-2024-39236 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.88%.

Technical Details

NVD Description

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

Exploitation Scenario

An adversary identifies an organization's shared internal Gradio deployment used by the ML team to test models. The attacker — either an insider or an external actor who bypassed weak authentication — crafts a malicious input payload targeting the component_meta.py code path. The crafted input triggers code injection on the server, giving the attacker arbitrary code execution in the context of the Gradio process. From there, they exfiltrate API keys (OpenAI, Hugging Face, cloud credentials) stored as environment variables, steal model weights, pivot to internal infrastructure, or establish persistence via a reverse shell. The attack is fully network-based with no privileges required in shared-access scenarios.