CVE-2024-39236: Gradio code injection

CISO Take

Gradio v4.36.1 contains a code injection flaw in component_meta.py triggerable via crafted inputs — CVSS 9.8 but vendor disputes severity, asserting the attack path requires self-targeting (attacker controls their own instance). Risk is real for shared/multi-tenant Gradio deployments where untrusted users submit inputs to a server others depend on. Audit all internet-exposed Gradio instances immediately and upgrade beyond v4.36.1 if a patch exists, or restrict access to trusted users only.

What is the risk?

CVSS 9.8 overstates risk for typical single-user local deployments — vendor's dispute is valid in that context. However, shared Gradio deployments (internal AI demo platforms, multi-user ML prototyping environments, public-facing model demos) present genuine server-side code execution risk if untrusted users can submit inputs. Attack complexity is low and no authentication is required per CVSS vector, making internet-exposed shared instances a critical exposure. Exploitability is HIGH for shared deployments, LOW for single-user local setups.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 54% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Inventory all Gradio deployments — identify version and exposure (local vs shared vs public).
Upgrade Gradio to latest version; check GitHub advisory GHSA-9v2f-6vcg-3hgv for patched version.
If upgrade is not immediately possible: restrict Gradio access to authenticated, trusted users only — add network controls (VPN, IP allowlist) in front of any shared instance.
Disable public-facing Gradio demos running v4.36.1 until patched.
Detection: monitor for anomalous subprocess spawning or file writes from the Gradio process; review component_meta.py inputs in application logs for eval/exec patterns.
Review Hugging Face Spaces deployments if using this version.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.6.2.5 - Security of AI system components

NIST AI RMF

GOVERN-6.2 - Organizational teams are committed to a culture that considers and communicates AI risk MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2024-39236?

Gradio v4.36.1 contains a code injection flaw in component_meta.py triggerable via crafted inputs — CVSS 9.8 but vendor disputes severity, asserting the attack path requires self-targeting (attacker controls their own instance). Risk is real for shared/multi-tenant Gradio deployments where untrusted users submit inputs to a server others depend on. Audit all internet-exposed Gradio instances immediately and upgrade beyond v4.36.1 if a patch exists, or restrict access to trusted users only.

Is CVE-2024-39236 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39236, increasing the risk of exploitation.

How to fix CVE-2024-39236?

1. Inventory all Gradio deployments — identify version and exposure (local vs shared vs public). 2. Upgrade Gradio to latest version; check GitHub advisory GHSA-9v2f-6vcg-3hgv for patched version. 3. If upgrade is not immediately possible: restrict Gradio access to authenticated, trusted users only — add network controls (VPN, IP allowlist) in front of any shared instance. 4. Disable public-facing Gradio demos running v4.36.1 until patched. 5. Detection: monitor for anomalous subprocess spawning or file writes from the Gradio process; review component_meta.py inputs in application logs for eval/exec patterns. 6. Review Hugging Face Spaces deployments if using this version.

What systems are affected by CVE-2024-39236?

This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, AI prototyping environments, internal AI tooling.

What is the CVSS score for CVE-2024-39236?

CVE-2024-39236 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.86%.

What is the AI security impact?

Affected AI Architectures

ML demo platformsmodel servingAI prototyping environmentsinternal AI tooling

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Art.9

ISO 42001: A.6.2.5

NIST AI RMF: GOVERN-6.2, MANAGE-2.2

OWASP LLM Top 10: LLM09

What are the technical details?

Original Advisory

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

Exploitation Scenario

An adversary identifies an organization's shared internal Gradio deployment used by the ML team to test models. The attacker — either an insider or an external actor who bypassed weak authentication — crafts a malicious input payload targeting the component_meta.py code path. The crafted input triggers code injection on the server, giving the attacker arbitrary code execution in the context of the Gradio process. From there, they exfiltrate API keys (OpenAI, Hugging Face, cloud credentials) stored as environment variables, steal model weights, pivot to internal infrastructure, or establish persistence via a reverse shell. The attack is fully network-based with no privileges required in shared-access scenarios.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.