CVE-2024-4325 — HIGH (CVSS 8.6) AI Security Vulnerability

CISO Take

Any internet-facing Gradio deployment (v4.21.0) is vulnerable to unauthenticated SSRF that can reach AWS/GCP/Azure instance metadata endpoints, enabling IAM credential theft and lateral movement. Patch immediately or block public access; treat any cloud-hosted Gradio instance as potentially compromised. This is especially urgent for ML teams exposing model demos on cloud infrastructure.

Risk Assessment

HIGH. No authentication required, low attack complexity, and exploitable remotely at scale make this trivially weaponizable. The scope change (C:H, S:C in CVSS) reflects that successful exploitation escapes the application boundary into cloud infrastructure. Gradio is pervasively used for AI/ML demos and internal tooling, significantly broadening the attack surface. AWS IMDS v1 (no session token required) is particularly vulnerable.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

8.6 / 10

EPSS

65.1%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 65%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I None

A None

Recommended Action

1 step

1) Upgrade Gradio to a version past 4.21.0 with the SSRF fix applied. 2) Block outbound requests to 169.254.169.254 and 169.254.169.254/latest/meta-data at the host/network firewall level. 3) If patching is not immediate, disable the /queue/join endpoint or deploy a WAF rule blocking URLs targeting RFC1918 and link-local ranges in request bodies. 4) Rotate any IAM credentials associated with Gradio-hosting instances. 5) Enable IMDSv2 (session-token required) on all EC2 instances as defense-in-depth. 6) Audit logs for requests to metadata IPs originating from Gradio processes.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Inference AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

8.2 - AI risk assessment 9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

MANAGE 2.2 - Treatments for identified risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-4325?

Any internet-facing Gradio deployment (v4.21.0) is vulnerable to unauthenticated SSRF that can reach AWS/GCP/Azure instance metadata endpoints, enabling IAM credential theft and lateral movement. Patch immediately or block public access; treat any cloud-hosted Gradio instance as potentially compromised. This is especially urgent for ML teams exposing model demos on cloud infrastructure.

Is CVE-2024-4325 actively exploited?

Yes, CVE-2024-4325 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2024-4325?

1) Upgrade Gradio to a version past 4.21.0 with the SSRF fix applied. 2) Block outbound requests to 169.254.169.254 and 169.254.169.254/latest/meta-data at the host/network firewall level. 3) If patching is not immediate, disable the /queue/join endpoint or deploy a WAF rule blocking URLs targeting RFC1918 and link-local ranges in request bodies. 4) Rotate any IAM credentials associated with Gradio-hosting instances. 5) Enable IMDSv2 (session-token required) on all EC2 instances as defense-in-depth. 6) Audit logs for requests to metadata IPs originating from Gradio processes.

What systems are affected by CVE-2024-4325?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, inference APIs, cloud-deployed AI applications, internal ML tooling.

What is the CVSS score for CVE-2024-4325?

CVE-2024-4325 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 65.09%.

Technical Details

NVD Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.

Exploitation Scenario

An unauthenticated attacker sends a POST request to `/queue/join` with a `path` parameter set to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`. The `save_url_to_cache` function issues the HTTP request without validation, returning the cloud instance's IAM role name. The attacker follows up with a second request to retrieve temporary AWS credentials. With valid AWS keys, the attacker escalates to S3 buckets containing training data, model artifacts, or customer data, and potentially the entire cloud account depending on IAM role permissions.