AI Threat Alert

CVE-2024-47168: Gradio: monitoring endpoint bypass leaks app analytics

GHSA-hm3c-93pg-4cxw MEDIUM
Published October 10, 2024
CISO Take

Gradio deployments with enable_monitoring=False are silently exposing the /monitoring dashboard to any authenticated user — your assumption of privacy is wrong. This affects internal ML demo platforms and model-serving UIs where analytics data (query volumes, usage patterns, user behavior) may be considered sensitive. Upgrade to gradio>=4.44.0 immediately; there are no workarounds.

What is the risk?

Risk is moderate-low in isolation but elevated in enterprise ML environments where Gradio instances serve internal models or handle sensitive query patterns. CVSS 4.3 reflects low-privilege network access with no interaction required — any authenticated user can exploit this. The real exposure depends on what the monitoring dashboard reveals: model usage metrics, query rates, and user analytics could aid reconnaissance of AI system behavior. Not actively exploited and not in KEV, but the trust violation (disabled flag = still exposed) is operationally significant.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio pip < 4.44.0 4.44.0
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A None

What should I do?

5 steps

  1. Upgrade to gradio>=4.44.0 immediately — this is the only fix, no workarounds exist per the advisory.

  2. Audit all Gradio instances in your environment: run 'pip show gradio' to check versions.

  3. If immediate upgrade is blocked, place a WAF or reverse proxy rule blocking direct access to the /monitoring path.

  4. Review access logs for unauthorized hits to /monitoring on affected versions.

  5. Treat monitoring data exposed during the vulnerability window as potentially compromised — assess what was visible.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Privacy Violation Auth Bypass Framework Inference AML.T0006 AML.T0049 AML.T0063

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 12 - Record-keeping and logging
ISO 42001
8.4 - AI system risk controls 9.1 - Monitoring, measurement, analysis and evaluation
NIST AI RMF
GOVERN-6.1 - Policies and procedures are in place for AI risk management MANAGE-2.2 - Mechanisms are in place for AI risks to be tracked
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47168?

Gradio deployments with enable_monitoring=False are silently exposing the /monitoring dashboard to any authenticated user — your assumption of privacy is wrong. This affects internal ML demo platforms and model-serving UIs where analytics data (query volumes, usage patterns, user behavior) may be considered sensitive. Upgrade to gradio>=4.44.0 immediately; there are no workarounds.

Is CVE-2024-47168 actively exploited?

No confirmed active exploitation of CVE-2024-47168 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47168?

1. Upgrade to gradio>=4.44.0 immediately — this is the only fix, no workarounds exist per the advisory. 2. Audit all Gradio instances in your environment: run 'pip show gradio' to check versions. 3. If immediate upgrade is blocked, place a WAF or reverse proxy rule blocking direct access to the /monitoring path. 4. Review access logs for unauthorized hits to /monitoring on affected versions. 5. Treat monitoring data exposed during the vulnerability window as potentially compromised — assess what was visible.

What systems are affected by CVE-2024-47168?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, internal AI tooling.

What is the CVSS score for CVE-2024-47168?

CVE-2024-47168 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

model servingML demo platformsinternal AI tooling

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0063 Discover AI Model Outputs

Compliance Controls Affected

EU AI Act: Article 12
ISO 42001: 8.4, 9.1
NIST AI RMF: GOVERN-6.1, MANAGE-2.2
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. Users who set enable_monitoring=False to prevent unauthorized access to monitoring data are impacted. Users are advised to upgrade to gradio>=4.44 to address this issue. There are no known workarounds for this vulnerability.

Exploitation Scenario

An attacker with low-privilege authenticated access to a Gradio-powered ML interface (e.g., a standard user account on an internal model demo) directly navigates to the /monitoring endpoint. Despite the operator having set enable_monitoring=False — believing access was disabled — the endpoint responds with full application analytics. The attacker harvests query volume data, user interaction patterns, and usage metrics. In a competitive intelligence or insider threat scenario, this data reveals which models are actively used, query frequency, and operational patterns of the AI system without triggering any alerts since the access appears legitimate.

Weaknesses (CWE)

CWE-670 Always-Incorrect Control Flow Implementation Primary CWE-670 Always-Incorrect Control Flow Implementation

CWE-670 — Always-Incorrect Control Flow Implementation: The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
October 10, 2024
Last Modified
January 21, 2025
First Seen
October 10, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed