AI Threat Alert
Any data scientist or ML engineer running Gradio locally with basic auth is exposed — an attacker just needs to lure them to a malicious page with a sandboxed iframe to steal credentials and uploaded files. EPSS is low and this isn't actively exploited, but the attack is trivial to execute. Mandate upgrade to gradio>=5.0 across all internal ML tooling; inventory who's running Gradio locally.
Risk Assessment
Medium severity with meaningful operational risk in AI/ML environments. CVSS 5.4 reflects limited scope (local deployments only, requires user interaction), but the actual exploitability is trivial — null origin CORS bypass is a well-documented web attack with no AI-specific knowledge required. The primary exposure is internal: data scientists and ML engineers routinely run Gradio locally for prototyping, often with basic auth and sensitive data. EPSS 0.00168 indicates no current active exploitation, reducing urgency, but the low technical barrier keeps it actionable.
Affected Systems
Severity & Risk
Attack Surface
Recommended Action
5 steps-
PATCH
Upgrade all Gradio instances to >=5.0.0 (pip install --upgrade gradio).
-
WORKAROUND (if upgrade blocked): Locate localhost_aliases in Gradio source and remove 'null' from the list.
-
INVENTORY
Run 'pip list | grep gradio' across developer workstations and CI environments to identify exposed versions.
-
DETECTION
Review web server logs for requests with Origin: null headers to Gradio endpoints — anomalous in legitimate browser traffic.
-
DEFENSE-IN-DEPTH: Enforce network-level controls so local Gradio ports (default 7860) are not reachable from unexpected sources; avoid basic auth in favor of stronger authentication mechanisms for any Gradio instance with sensitive data.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-47165?
Any data scientist or ML engineer running Gradio locally with basic auth is exposed — an attacker just needs to lure them to a malicious page with a sandboxed iframe to steal credentials and uploaded files. EPSS is low and this isn't actively exploited, but the attack is trivial to execute. Mandate upgrade to gradio>=5.0 across all internal ML tooling; inventory who's running Gradio locally.
Is CVE-2024-47165 actively exploited?
No confirmed active exploitation of CVE-2024-47165 has been reported, but organizations should still patch proactively.
How to fix CVE-2024-47165?
1. PATCH: Upgrade all Gradio instances to >=5.0.0 (pip install --upgrade gradio). 2. WORKAROUND (if upgrade blocked): Locate localhost_aliases in Gradio source and remove 'null' from the list. 3. INVENTORY: Run 'pip list | grep gradio' across developer workstations and CI environments to identify exposed versions. 4. DETECTION: Review web server logs for requests with Origin: null headers to Gradio endpoints — anomalous in legitimate browser traffic. 5. DEFENSE-IN-DEPTH: Enforce network-level controls so local Gradio ports (default 7860) are not reachable from unexpected sources; avoid basic auth in favor of stronger authentication mechanisms for any Gradio instance with sensitive data.
What systems are affected by CVE-2024-47165?
This vulnerability affects the following AI/ML architecture patterns: ML UI and demo tooling, Local model serving, Internal AI prototyping environments, LLM application development workflows.
What is the CVSS score for CVE-2024-47165?
CVE-2024-47165 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.17%.
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.
Exploitation Scenario
An attacker crafts a malicious webpage containing a sandboxed iframe (sandbox attribute strips the origin, causing browsers to send Origin: null). The page is delivered via phishing or a compromised internal tool. When a data scientist running a local Gradio instance on port 7860 visits the page, the iframe silently makes cross-origin requests to localhost:7860 — which Gradio accepts because 'null' is in its allowed origins list. The attacker's JS receives authenticated responses, extracting session tokens or triggering file upload/download endpoints to exfiltrate sensitive model inputs, outputs, or datasets the researcher had loaded into the UI.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2023-34239 9.1 Gradio: path traversal + SSRF exposes model files & infra
Same package: gradio