AI Threat Alert

CVE-2024-47084: Gradio: CORS bypass exposes local instances to credential theft

GHSA-3c67-5hwx-f6wx HIGH
Published October 10, 2024
CISO Take

Any ML/AI team running Gradio locally with basic authentication is exposed: a developer visiting a malicious website while logged into Gradio can have auth tokens stolen and files exfiltrated silently. Upgrade to Gradio 4.44.0+ immediately and audit all internal Gradio deployments—this is a trivially exploitable, browser-based attack requiring zero ML expertise. Until patched, restrict Gradio access to localhost only and prohibit general browsing from machines running Gradio sessions.

What is the risk?

CVSS 8.3 HIGH with low attack complexity and no privilege requirements makes this serious, but EPSS at 0.00138 indicates limited active exploitation in the wild. The real risk multiplier is Gradio's adoption footprint: it is the de facto standard for rapid ML prototyping, meaning nearly every AI/ML team has at least one instance running locally. The attack requires user interaction (victim visits attacker page), which limits mass exploitation but makes targeted attacks against known Gradio users highly feasible via phishing or watering holes. Not in CISA KEV, patch is available, risk drops substantially post-upgrade.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →
Gradio pip < 4.44.0 4.44.0
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1
8.3 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A Low

What should I do?

7 steps

  1. PATCH

    Upgrade Gradio to >= 4.44.0 immediately—this is the only complete fix.

  2. WORKAROUND (pre-patch): Modify CustomCORSMiddleware in the local Gradio installation to remove the condition that skips CORS validation when a cookie is present.

  3. NETWORK

    Bind Gradio to 127.0.0.1 only (not 0.0.0.0); use SSH tunneling for remote access rather than exposing the port.

  4. AUTH

    Avoid browser-based basic auth on shared Gradio instances; prefer token-based access with short expiry.

  5. BROWSER HYGIENE

    Enforce policy against general internet browsing from machines running active Gradio sessions.

  6. DETECTION

    Review Gradio access logs for cross-origin requests or unexpected file upload activity from unfamiliar origins.

  7. INVENTORY

    Enumerate all Gradio instances across the organization—shadow ML environments are common and often unpatched.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Data Leakage Framework Inference AML.T0012 AML.T0025 AML.T0049 AML.T0078 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - Information security risk assessment A.9.3 - AI system security
NIST AI RMF
GOVERN-1.2 - Organizational policies address AI risk MANAGE-2.2 - Mechanisms exist to detect, respond to, and recover from risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-47084?

Any ML/AI team running Gradio locally with basic authentication is exposed: a developer visiting a malicious website while logged into Gradio can have auth tokens stolen and files exfiltrated silently. Upgrade to Gradio 4.44.0+ immediately and audit all internal Gradio deployments—this is a trivially exploitable, browser-based attack requiring zero ML expertise. Until patched, restrict Gradio access to localhost only and prohibit general browsing from machines running Gradio sessions.

Is CVE-2024-47084 actively exploited?

No confirmed active exploitation of CVE-2024-47084 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47084?

1. PATCH: Upgrade Gradio to >= 4.44.0 immediately—this is the only complete fix. 2. WORKAROUND (pre-patch): Modify CustomCORSMiddleware in the local Gradio installation to remove the condition that skips CORS validation when a cookie is present. 3. NETWORK: Bind Gradio to 127.0.0.1 only (not 0.0.0.0); use SSH tunneling for remote access rather than exposing the port. 4. AUTH: Avoid browser-based basic auth on shared Gradio instances; prefer token-based access with short expiry. 5. BROWSER HYGIENE: Enforce policy against general internet browsing from machines running active Gradio sessions. 6. DETECTION: Review Gradio access logs for cross-origin requests or unexpected file upload activity from unfamiliar origins. 7. INVENTORY: Enumerate all Gradio instances across the organization—shadow ML environments are common and often unpatched.

What systems are affected by CVE-2024-47084?

This vulnerability affects the following AI/ML architecture patterns: ML prototyping environments, local model serving, AI demo and evaluation interfaces, LLM application frontends, model fine-tuning workflows.

What is the CVSS score for CVE-2024-47084?

CVE-2024-47084 has a CVSS v3.1 base score of 8.3 (HIGH). The EPSS exploitation probability is 0.48%.

What is the AI security impact?

Affected AI Architectures

ML prototyping environmentslocal model servingAI demo and evaluation interfacesLLM application frontendsmodel fine-tuning workflows

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0078 Drive-by Compromise
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, A.9.3
NIST AI RMF: GOVERN-1.2, MANAGE-2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.

Exploitation Scenario

Adversary identifies a target ML engineer known to use Gradio (via LinkedIn, GitHub commits, or conference talks). Engineer has Gradio 4.43 running on localhost:7860 with basic auth enabled for a team LLM evaluation interface. Adversary sends a spear-phishing email linking to a page that appears to be a relevant ML paper or dataset. When the engineer opens the link while their Gradio session is active, the attacker's JavaScript silently issues cross-origin requests to localhost:7860—Gradio skips CORS validation because the auth cookie is present. The attacker exfiltrates the session token, then uses it to upload a malicious file disguised as evaluation data, which gets processed through the model pipeline. In a more targeted scenario, the adversary maps the Gradio interface to discover connected data sources before exfiltrating model outputs or proprietary prompts.

Weaknesses (CWE)

CWE-285 Improper Authorization Primary CWE-346 Origin Validation Error Primary CWE-285 Improper Authorization

CWE-285 — Improper Authorization: The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

References

Timeline

Published
October 10, 2024
Last Modified
January 21, 2025
First Seen
October 10, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed