AI Threat Alert AI Threat Alert

CVE-2024-47167: Gradio: unauthenticated SSRF in /queue/join, internal pivot

GHSA-576c-3j53-r9jj CRITICAL
Published October 10, 2024
CISO Take

Any Gradio instance below v5.0.0 exposes your internal network to unauthenticated SSRF — no credentials needed, no user interaction required. This is particularly dangerous in ML environments where Gradio demos often run on hosts with access to model APIs, S3 buckets, cloud metadata endpoints, and internal tooling. Upgrade to gradio>=5 immediately and audit every Gradio deployment for network exposure.

Risk Assessment

CVSS 9.8 with network-accessible, zero-auth, zero-interaction attack vector makes this a drop-everything patch. Despite low EPSS (0.00236), SSRF exploits are commodity-level — any script kiddie can abuse this. The real multiplier is deployment context: ML teams routinely run Gradio on cloud VMs with access to IMDSv1 metadata (AWS 169.254.169.254), internal model registries, and data pipelines. A single compromised Gradio instance can cascade into full cloud credential theft or internal network lateral movement.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio pip < 5.0.0 5.0.0
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to gradio>=5.0.0 — this is the only complete fix.

  2. IMMEDIATE WORKAROUND

    Implement allowlist-based URL validation restricting inputs to trusted domains only; block all RFC1918 addresses and link-local ranges (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

  3. NETWORK CONTROL

    Apply egress filtering on hosts running Gradio to block outbound HTTP to internal subnets.

  4. DETECTION

    Monitor for outbound HTTP requests from Gradio processes to internal IPs or metadata endpoints; alert on file writes to cache directories from unexpected URL sources.

  5. INVENTORY

    Identify all Gradio instances — pay special attention to cloud-hosted VMs and internal demo environments.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Code Execution Framework Inference AML.T0006 AML.T0025 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.2 - AI-related threat and vulnerability identification A.9.3 - AI system security
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for AI risk management MANAGE 2.2 - Mechanisms to sustain, track, and manage AI risks over time
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-47167?

Any Gradio instance below v5.0.0 exposes your internal network to unauthenticated SSRF — no credentials needed, no user interaction required. This is particularly dangerous in ML environments where Gradio demos often run on hosts with access to model APIs, S3 buckets, cloud metadata endpoints, and internal tooling. Upgrade to gradio>=5 immediately and audit every Gradio deployment for network exposure.

Is CVE-2024-47167 actively exploited?

No confirmed active exploitation of CVE-2024-47167 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47167?

1. PATCH: Upgrade to gradio>=5.0.0 — this is the only complete fix. 2. IMMEDIATE WORKAROUND: Implement allowlist-based URL validation restricting inputs to trusted domains only; block all RFC1918 addresses and link-local ranges (169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). 3. NETWORK CONTROL: Apply egress filtering on hosts running Gradio to block outbound HTTP to internal subnets. 4. DETECTION: Monitor for outbound HTTP requests from Gradio processes to internal IPs or metadata endpoints; alert on file writes to cache directories from unexpected URL sources. 5. INVENTORY: Identify all Gradio instances — pay special attention to cloud-hosted VMs and internal demo environments.

What systems are affected by CVE-2024-47167?

This vulnerability affects the following AI/ML architecture patterns: ML prototyping and demo environments, Model evaluation UIs, Internal MLOps tooling, Model serving interfaces, AI application backends on cloud VMs.

What is the CVSS score for CVE-2024-47167?

CVE-2024-47167 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.

Exploitation Scenario

Attacker identifies an internet-facing Gradio deployment (common for model demos, AI hackathons, internal ML tooling). They POST to `/queue/join` with a crafted payload containing a URL pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` (AWS IMDS). Gradio's `async_save_url_to_cache` fetches the URL server-side and stores the response locally. Attacker retrieves the cached file containing IAM temporary credentials, then pivots to AWS APIs with full role permissions — exfiltrating training data, accessing model artifacts in S3, or escalating to broader cloud infrastructure.

Weaknesses (CWE)

CWE-918 Primary CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
October 10, 2024
Last Modified
January 21, 2025
First Seen
October 10, 2024

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
CRITICAL CVE-2024-4253 9.1

Gradio: CI/CD command injection enables secrets exfiltration

Same package: gradio
Back to Threat Feed