CVE-2024-47867: Gradio no integrity check on FRP

CISO Take

Gradio's sharing feature downloads an FRP (Fast Reverse Proxy) client binary with no checksum or signature verification, meaning a compromised CDN, DNS hijack, or MITM can deliver a malicious binary that executes on your ML server. Upgrade to Gradio 5.0.0 immediately; if upgrade is blocked, disable share=True in all Gradio deployments. Any team that ran Gradio sharing in a production or sensitive environment before patching should treat the host as potentially compromised.

What is the risk?

Real-world risk is moderate despite CVSS 7.5. Exploitation requires a pre-positioned adversary on the download path (CDN compromise, DNS hijack, or MITM), which raises the bar. EPSS is extremely low (0.22%) and not in KEV. However, Gradio is widely deployed in ML research, internal demos, and rapid prototyping environments that often have privileged access to models and data—making the blast radius high if the preconditions are met. Teams that expose Gradio externally via share=True are the highest-risk population.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	< 5.0.0	`5.0.0`
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I High

A None

What should I do?

6 steps

Patch: upgrade Gradio to >= 5.0.0 immediately (fixes integrity verification).
Disable sharing: set share=False in all Gradio launch() calls in environments where upgrade is delayed.
Network control: block outbound HTTP/S from ML servers to non-approved CDNs; FRP download should never happen from a production server.
Detection: audit process trees on hosts running Gradio for unexpected child processes spawned by the Gradio server process.
Post-patch validation: if you ran share=True before patching, hash the existing FRP binary against known-good values from Gradio 5.0.0 release artifacts and investigate any mismatch.
Policy: enforce that ML tooling (Gradio, Streamlit, Jupyter) runs in isolated containers without egress to arbitrary external URLs.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0079 - Stage Capabilities

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system lifecycle — Security of the AI system

NIST AI RMF

GOVERN 1.2 - Accountability for AI risk — AI supply chain

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-47867?

Gradio's sharing feature downloads an FRP (Fast Reverse Proxy) client binary with no checksum or signature verification, meaning a compromised CDN, DNS hijack, or MITM can deliver a malicious binary that executes on your ML server. Upgrade to Gradio 5.0.0 immediately; if upgrade is blocked, disable share=True in all Gradio deployments. Any team that ran Gradio sharing in a production or sensitive environment before patching should treat the host as potentially compromised.

Is CVE-2024-47867 actively exploited?

No confirmed active exploitation of CVE-2024-47867 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47867?

1. Patch: upgrade Gradio to >= 5.0.0 immediately (fixes integrity verification). 2. Disable sharing: set share=False in all Gradio launch() calls in environments where upgrade is delayed. 3. Network control: block outbound HTTP/S from ML servers to non-approved CDNs; FRP download should never happen from a production server. 4. Detection: audit process trees on hosts running Gradio for unexpected child processes spawned by the Gradio server process. 5. Post-patch validation: if you ran share=True before patching, hash the existing FRP binary against known-good values from Gradio 5.0.0 release artifacts and investigate any mismatch. 6. Policy: enforce that ML tooling (Gradio, Streamlit, Jupyter) runs in isolated containers without egress to arbitrary external URLs.

What systems are affected by CVE-2024-47867?

This vulnerability affects the following AI/ML architecture patterns: ml development environments, model serving, data science workbenches.

What is the CVSS score for CVE-2024-47867?

CVE-2024-47867 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

ml development environmentsmodel servingdata science workbenches

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.

Exploitation Scenario

An adversary targeting an ML team compromises the CDN or DNS resolution for the Gradio FRP client download URL (or positions themselves as MITM on a corporate network). When a data scientist runs gradio.launch(share=True) to demo a new model, Gradio fetches the FRP binary and executes it without any hash check. The adversary's payload—a trojanized FRP binary—runs as the Python process user, giving immediate code execution on a machine that likely holds model weights, training datasets, Hugging Face tokens, and internal API credentials. Because Gradio demos are often short-lived, the compromise may go undetected while credentials are exfiltrated.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary CWE-494 Download of Code Without Integrity Check Primary CWE-345 Insufficient Verification of Data Authenticity

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.