CVE-2024-47084 — HIGH (CVSS 8.3) AI Security Vulnerability

CISO Take

Any ML/AI team running Gradio locally with basic authentication is exposed: a developer visiting a malicious website while logged into Gradio can have auth tokens stolen and files exfiltrated silently. Upgrade to Gradio 4.44.0+ immediately and audit all internal Gradio deployments—this is a trivially exploitable, browser-based attack requiring zero ML expertise. Until patched, restrict Gradio access to localhost only and prohibit general browsing from machines running Gradio sessions.

Risk Assessment

CVSS 8.3 HIGH with low attack complexity and no privilege requirements makes this serious, but EPSS at 0.00138 indicates limited active exploitation in the wild. The real risk multiplier is Gradio's adoption footprint: it is the de facto standard for rapid ML prototyping, meaning nearly every AI/ML team has at least one instance running locally. The attack requires user interaction (victim visits attacker page), which limits mass exploitation but makes targeted attacks against known Gradio users highly feasible via phishing or watering holes. Not in CISA KEV, patch is available, risk drops substantially post-upgrade.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 4.44.0	`4.44.0`
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A Low

Recommended Action

7 steps

PATCH

Upgrade Gradio to >= 4.44.0 immediately—this is the only complete fix.
WORKAROUND (pre-patch): Modify CustomCORSMiddleware in the local Gradio installation to remove the condition that skips CORS validation when a cookie is present.
NETWORK

Bind Gradio to 127.0.0.1 only (not 0.0.0.0); use SSH tunneling for remote access rather than exposing the port.
AUTH

Avoid browser-based basic auth on shared Gradio instances; prefer token-based access with short expiry.
BROWSER HYGIENE

Enforce policy against general internet browsing from machines running active Gradio sessions.
DETECTION

Review Gradio access logs for cross-origin requests or unexpected file upload activity from unfamiliar origins.
INVENTORY

Enumerate all Gradio instances across the organization—shadow ML environments are common and often unpatched.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Data Leakage Framework Inference AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - Information security risk assessment A.9.3 - AI system security

NIST AI RMF

GOVERN-1.2 - Organizational policies address AI risk MANAGE-2.2 - Mechanisms exist to detect, respond to, and recover from risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-47084?

Any ML/AI team running Gradio locally with basic authentication is exposed: a developer visiting a malicious website while logged into Gradio can have auth tokens stolen and files exfiltrated silently. Upgrade to Gradio 4.44.0+ immediately and audit all internal Gradio deployments—this is a trivially exploitable, browser-based attack requiring zero ML expertise. Until patched, restrict Gradio access to localhost only and prohibit general browsing from machines running Gradio sessions.

Is CVE-2024-47084 actively exploited?

No confirmed active exploitation of CVE-2024-47084 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47084?

1. PATCH: Upgrade Gradio to >= 4.44.0 immediately—this is the only complete fix. 2. WORKAROUND (pre-patch): Modify CustomCORSMiddleware in the local Gradio installation to remove the condition that skips CORS validation when a cookie is present. 3. NETWORK: Bind Gradio to 127.0.0.1 only (not 0.0.0.0); use SSH tunneling for remote access rather than exposing the port. 4. AUTH: Avoid browser-based basic auth on shared Gradio instances; prefer token-based access with short expiry. 5. BROWSER HYGIENE: Enforce policy against general internet browsing from machines running active Gradio sessions. 6. DETECTION: Review Gradio access logs for cross-origin requests or unexpected file upload activity from unfamiliar origins. 7. INVENTORY: Enumerate all Gradio instances across the organization—shadow ML environments are common and often unpatched.

What systems are affected by CVE-2024-47084?

This vulnerability affects the following AI/ML architecture patterns: ML prototyping environments, local model serving, AI demo and evaluation interfaces, LLM application frontends, model fine-tuning workflows.

What is the CVSS score for CVE-2024-47084?

CVE-2024-47084 has a CVSS v3.1 base score of 8.3 (HIGH). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.

Exploitation Scenario

Adversary identifies a target ML engineer known to use Gradio (via LinkedIn, GitHub commits, or conference talks). Engineer has Gradio 4.43 running on localhost:7860 with basic auth enabled for a team LLM evaluation interface. Adversary sends a spear-phishing email linking to a page that appears to be a relevant ML paper or dataset. When the engineer opens the link while their Gradio session is active, the attacker's JavaScript silently issues cross-origin requests to localhost:7860—Gradio skips CORS validation because the auth cookie is present. The attacker exfiltrates the session token, then uses it to upload a malicious file disguised as evaluation data, which gets processed through the model pipeline. In a more targeted scenario, the adversary maps the Gradio interface to discover connected data sources before exfiltrating model outputs or proprietary prompts.