CVE-2024-47164 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: What systems are affected by CVE-2024-47164?

This vulnerability affects the following AI/ML architecture patterns: ML prototyping environments, model serving, inference endpoints, AI demo applications.

Q: What is the CVSS score for CVE-2024-47164?

CVE-2024-47164 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.20%.

CISO Take

Any internet-facing Gradio deployment running < 5.0.0 is exploitable by unauthenticated attackers to read arbitrary files outside the intended directory. The fix is a single package upgrade to gradio>=5.0.0. Audit your ML demo and prototyping environments immediately — these are often overlooked in standard vulnerability management cycles.

Risk Assessment

CVSS 6.5 understates operational risk for orgs with public-facing Gradio instances. The attack requires no authentication, no user interaction, and is network-accessible — any exposed deployment is trivially reachable. Gradio is pervasive in ML research and prototyping environments that typically have a loose security posture, with sensitive assets (model weights, API keys, cloud credentials) often co-located on the same host. EPSS 0.00202 is low, but the low exploitation complexity means targeted attacks are feasible once the asset is identified via passive recon.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 5.0.0	`5.0.0`
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A None

Recommended Action

5 steps

PATCH

Upgrade to gradio>=5.0.0 immediately across all environments (dev, staging, prod).
WORKAROUND (if upgrade blocked): Normalize all file paths to absolute resolved paths before passing to is_in_or_equal — use os.path.realpath() or pathlib.Path.resolve() to collapse .. sequences before validation.
NETWORK CONTROLS

Restrict Gradio deployments to internal networks or place behind authenticated reverse proxy; no Gradio instance should be internet-facing without auth.
DETECTION

Search access logs for path parameters containing '../', '%2e%2e', or double-encoded variants.
AUDIT

Run 'pip show gradio' across all ML environments; treat any version < 5.0.0 as unpatched.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Inference AML.T0007 - Discover AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security — input validation A.9.4 - Incident management for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks MEASURE 2.5 - AI system to be deployed is demonstrated to be valid and reliable

OWASP LLM Top 10

LLM05:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47164?

Any internet-facing Gradio deployment running < 5.0.0 is exploitable by unauthenticated attackers to read arbitrary files outside the intended directory. The fix is a single package upgrade to gradio>=5.0.0. Audit your ML demo and prototyping environments immediately — these are often overlooked in standard vulnerability management cycles.

Is CVE-2024-47164 actively exploited?

No confirmed active exploitation of CVE-2024-47164 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47164?

1. PATCH: Upgrade to gradio>=5.0.0 immediately across all environments (dev, staging, prod). 2. WORKAROUND (if upgrade blocked): Normalize all file paths to absolute resolved paths before passing to is_in_or_equal — use os.path.realpath() or pathlib.Path.resolve() to collapse .. sequences before validation. 3. NETWORK CONTROLS: Restrict Gradio deployments to internal networks or place behind authenticated reverse proxy; no Gradio instance should be internet-facing without auth. 4. DETECTION: Search access logs for path parameters containing '../', '%2e%2e', or double-encoded variants. 5. AUDIT: Run 'pip show gradio' across all ML environments; treat any version < 5.0.0 as unpatched.

What systems are affected by CVE-2024-47164?

This vulnerability affects the following AI/ML architecture patterns: ML prototyping environments, model serving, inference endpoints, AI demo applications.

What is the CVSS score for CVE-2024-47164?

CVE-2024-47164 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using `..` (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. This primarily impacts users relying on Gradio’s blocklist or directory access validation, particularly when handling file uploads. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually sanitize and normalize file paths in their Gradio deployment before passing them to the `is_in_or_equal` function. Ensuring that all file paths are properly resolved and absolute can help mitigate the bypass vulnerabilities caused by the improper handling of `..` sequences or malformed paths.

Exploitation Scenario

An adversary scans for public-facing Gradio deployments via Shodan or Censys using Gradio-specific HTTP response fingerprints. They identify a research team's model demo endpoint running gradio 4.x. By crafting a file upload request with a path parameter containing '../../.huggingface/token' or '../../app/.env', they bypass the is_in_or_equal directory check and retrieve the file contents in the HTTP response. The attacker now has the team's Hugging Face API token, enabling them to clone private models, access private datasets, or pivot to other services authenticated with the same token. The full attack chain takes under 5 minutes and requires no specialized ML knowledge.