AI Threat Alert

CVE-2024-4325: Gradio: SSRF exposes internal network and cloud metadata

HIGH ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE
Published June 6, 2024
CISO Take

Any internet-facing Gradio deployment (v4.21.0) is vulnerable to unauthenticated SSRF that can reach AWS/GCP/Azure instance metadata endpoints, enabling IAM credential theft and lateral movement. Patch immediately or block public access; treat any cloud-hosted Gradio instance as potentially compromised. This is especially urgent for ML teams exposing model demos on cloud infrastructure.

What is the risk?

HIGH. No authentication required, low attack complexity, and exploitable remotely at scale make this trivially weaponizable. The scope change (C:H, S:C in CVSS) reflects that successful exploitation escapes the application boundary into cloud infrastructure. Gradio is pervasively used for AI/ML demos and internal tooling, significantly broadening the attack surface. AWS IMDS v1 (no session token required) is particularly vulnerable.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
8.6 / 10
EPSS
37.4%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 37%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I None
A None

What should I do?

1 step

  1. 1) Upgrade Gradio to a version past 4.21.0 with the SSRF fix applied. 2) Block outbound requests to 169.254.169.254 and 169.254.169.254/latest/meta-data at the host/network firewall level. 3) If patching is not immediate, disable the /queue/join endpoint or deploy a WAF rule blocking URLs targeting RFC1918 and link-local ranges in request bodies. 4) Rotate any IAM credentials associated with Gradio-hosting instances. 5) Enable IMDSv2 (session-token required) on all EC2 instances as defense-in-depth. 6) Audit logs for requests to metadata IPs originating from Gradio processes.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Inference AML.T0006 AML.T0025 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
8.2 - AI risk assessment 9.1 - Monitoring, measurement, analysis and evaluation
NIST AI RMF
MANAGE 2.2 - Treatments for identified risks
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-4325?

Any internet-facing Gradio deployment (v4.21.0) is vulnerable to unauthenticated SSRF that can reach AWS/GCP/Azure instance metadata endpoints, enabling IAM credential theft and lateral movement. Patch immediately or block public access; treat any cloud-hosted Gradio instance as potentially compromised. This is especially urgent for ML teams exposing model demos on cloud infrastructure.

Is CVE-2024-4325 actively exploited?

Yes, CVE-2024-4325 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2024-4325?

1) Upgrade Gradio to a version past 4.21.0 with the SSRF fix applied. 2) Block outbound requests to 169.254.169.254 and 169.254.169.254/latest/meta-data at the host/network firewall level. 3) If patching is not immediate, disable the /queue/join endpoint or deploy a WAF rule blocking URLs targeting RFC1918 and link-local ranges in request bodies. 4) Rotate any IAM credentials associated with Gradio-hosting instances. 5) Enable IMDSv2 (session-token required) on all EC2 instances as defense-in-depth. 6) Audit logs for requests to metadata IPs originating from Gradio processes.

What systems are affected by CVE-2024-4325?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, inference APIs, cloud-deployed AI applications, internal ML tooling.

What is the CVSS score for CVE-2024-4325?

CVE-2024-4325 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 37.37%.

What is the AI security impact?

Affected AI Architectures

model servingML demo platformsinference APIscloud-deployed AI applicationsinternal ML tooling

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 8.2, 9.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.

Exploitation Scenario

An unauthenticated attacker sends a POST request to `/queue/join` with a `path` parameter set to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`. The `save_url_to_cache` function issues the HTTP request without validation, returning the cloud instance's IAM role name. The attacker follows up with a second request to retrieve temporary AWS credentials. With valid AWS keys, the attacker escalates to S3 buckets containing training data, model artifacts, or customer data, and potentially the entire cloud account depending on IAM role permissions.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
June 6, 2024
Last Modified
November 21, 2024
First Seen
June 6, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-4325.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed