CVE-2024-4254 — UNKNOWN AI Security Vulnerability

CISO Take

Any team using Gradio in their ML stack should treat this as a supply chain integrity event: an attacker could have exfiltrated HuggingFace (HF_TOKEN) and AWS credentials from Gradio's CI/CD, enabling downstream poisoning of Gradio releases or HuggingFace Spaces. Audit your pinned Gradio versions against known-good release hashes and rotate any credentials shared with or derived from Gradio's build pipeline. If your team mirrors or caches Gradio packages internally, verify integrity before the next deployment.

Risk Assessment

Risk is HIGH despite the missing CVSS score. The exploit requires only submitting a GitHub PR from a fork — a trivial action open to any public contributor. The blast radius is supply-chain-wide: compromised HF_TOKEN and AWS keys could allow an adversary to tamper with Gradio packages, HuggingFace model artifacts, or Vercel-hosted deployments before the vulnerability was disclosed. The absence of active KEV listing does not reduce urgency given Gradio's ubiquity across AI/ML pipelines.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.4%

chance of exploitation in 30 days

Higher than 60% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

Pin Gradio to a specific release hash in requirements files and verify against PyPI checksums — avoid range pinning.
Audit HuggingFace Spaces and any internal deployments that consume Gradio packages released around the vulnerability window (prior to 2024-06-04).
If your CI/CD inherits HF_TOKEN, AWS credentials, or Vercel tokens from a Gradio-derived workflow, rotate them immediately.
Scan your GitHub Actions workflows for the same anti-pattern: pull_request_target combined with checkout of fork code — this is detectable with tools like actionlint or Semgrep (rule: github-actions-pull-request-target-code-execution).
Enable GitHub Actions dependency review and Dependabot for workflow files.
For detection: monitor PyPI and HuggingFace model cards for unexpected version bumps or author changes on Gradio-related packages.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Data Extraction Auth Bypass Framework Model AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2 - AI system supply chain

NIST AI RMF

GOVERN-6.1 - Third-party risk policies and practices MANAGE-2.4 - Residual risks from third-party components

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-4254?

Any team using Gradio in their ML stack should treat this as a supply chain integrity event: an attacker could have exfiltrated HuggingFace (HF_TOKEN) and AWS credentials from Gradio's CI/CD, enabling downstream poisoning of Gradio releases or HuggingFace Spaces. Audit your pinned Gradio versions against known-good release hashes and rotate any credentials shared with or derived from Gradio's build pipeline. If your team mirrors or caches Gradio packages internally, verify integrity before the next deployment.

Is CVE-2024-4254 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4254, increasing the risk of exploitation.

How to fix CVE-2024-4254?

1. Pin Gradio to a specific release hash in requirements files and verify against PyPI checksums — avoid range pinning. 2. Audit HuggingFace Spaces and any internal deployments that consume Gradio packages released around the vulnerability window (prior to 2024-06-04). 3. If your CI/CD inherits HF_TOKEN, AWS credentials, or Vercel tokens from a Gradio-derived workflow, rotate them immediately. 4. Scan your GitHub Actions workflows for the same anti-pattern: `pull_request_target` combined with checkout of fork code — this is detectable with tools like actionlint or Semgrep (rule: github-actions-pull-request-target-code-execution). 5. Enable GitHub Actions dependency review and Dependabot for workflow files. 6. For detection: monitor PyPI and HuggingFace model cards for unexpected version bumps or author changes on Gradio-related packages.

What systems are affected by CVE-2024-4254?

This vulnerability affects the following AI/ML architecture patterns: ML UI deployments, CI/CD pipelines, Model serving, HuggingFace Spaces, Training pipelines.

What is the CVSS score for CVE-2024-4254?

No CVSS score has been assigned yet.

Technical Details

NVD Description

The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it allows the running of untrusted code in an environment with access to push to the base repository and access secrets. This flaw could lead to the exfiltration of sensitive secrets such as GITHUB_TOKEN, HF_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID, COMMENT_TOKEN, AWSACCESSKEYID, AWSSECRETKEY, and VERCEL_TOKEN. The vulnerability is present in the workflow file located at https://github.com/gradio-app/gradio/blob/72f4ca88ab569aae47941b3fb0609e57f2e13a27/.github/workflows/deploy-website.yml.

Exploitation Scenario

An adversary identifies that Gradio's `deploy-website.yml` uses the `pull_request_target` trigger (which inherits base-repo secrets) but explicitly checks out code from the fork's HEAD. The adversary forks gradio-app/gradio, modifies the workflow or a build script to include a secrets exfiltration payload — e.g., a Python script that reads environment variables and POSTs them to an attacker-controlled endpoint via a DNS tunnel or HTTPS callback. They open a PR targeting the main branch. GitHub executes the workflow with full secret access. Within minutes, GITHUB_TOKEN, HF_TOKEN, AWSACCESSKEYID, AWSSECRETKEY, VERCEL_TOKEN, and COMMENT_TOKEN are in adversary hands. The adversary then uses HF_TOKEN to push a trojanized Gradio component to HuggingFace, which is pulled by downstream model deployments and HuggingFace Spaces at next update.