AI Threat Alert
Gradio's sharing feature downloads an FRP (Fast Reverse Proxy) client binary with no checksum or signature verification, meaning a compromised CDN, DNS hijack, or MITM can deliver a malicious binary that executes on your ML server. Upgrade to Gradio 5.0.0 immediately; if upgrade is blocked, disable share=True in all Gradio deployments. Any team that ran Gradio sharing in a production or sensitive environment before patching should treat the host as potentially compromised.
Risk Assessment
Real-world risk is moderate despite CVSS 7.5. Exploitation requires a pre-positioned adversary on the download path (CDN compromise, DNS hijack, or MITM), which raises the bar. EPSS is extremely low (0.22%) and not in KEV. However, Gradio is widely deployed in ML research, internal demos, and rapid prototyping environments that often have privileged access to models and data—making the blast radius high if the preconditions are met. Teams that expose Gradio externally via share=True are the highest-risk population.
Affected Systems
Severity & Risk
Attack Surface
Recommended Action
6 steps-
Patch: upgrade Gradio to >= 5.0.0 immediately (fixes integrity verification).
-
Disable sharing: set share=False in all Gradio launch() calls in environments where upgrade is delayed.
-
Network control: block outbound HTTP/S from ML servers to non-approved CDNs; FRP download should never happen from a production server.
-
Detection: audit process trees on hosts running Gradio for unexpected child processes spawned by the Gradio server process.
-
Post-patch validation: if you ran share=True before patching, hash the existing FRP binary against known-good values from Gradio 5.0.0 release artifacts and investigate any mismatch.
-
Policy: enforce that ML tooling (Gradio, Streamlit, Jupyter) runs in isolated containers without egress to arbitrary external URLs.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-47867?
Gradio's sharing feature downloads an FRP (Fast Reverse Proxy) client binary with no checksum or signature verification, meaning a compromised CDN, DNS hijack, or MITM can deliver a malicious binary that executes on your ML server. Upgrade to Gradio 5.0.0 immediately; if upgrade is blocked, disable share=True in all Gradio deployments. Any team that ran Gradio sharing in a production or sensitive environment before patching should treat the host as potentially compromised.
Is CVE-2024-47867 actively exploited?
No confirmed active exploitation of CVE-2024-47867 has been reported, but organizations should still patch proactively.
How to fix CVE-2024-47867?
1. Patch: upgrade Gradio to >= 5.0.0 immediately (fixes integrity verification). 2. Disable sharing: set share=False in all Gradio launch() calls in environments where upgrade is delayed. 3. Network control: block outbound HTTP/S from ML servers to non-approved CDNs; FRP download should never happen from a production server. 4. Detection: audit process trees on hosts running Gradio for unexpected child processes spawned by the Gradio server process. 5. Post-patch validation: if you ran share=True before patching, hash the existing FRP binary against known-good values from Gradio 5.0.0 release artifacts and investigate any mismatch. 6. Policy: enforce that ML tooling (Gradio, Streamlit, Jupyter) runs in isolated containers without egress to arbitrary external URLs.
What systems are affected by CVE-2024-47867?
This vulnerability affects the following AI/ML architecture patterns: ml development environments, model serving, data science workbenches.
What is the CVSS score for CVE-2024-47867?
CVE-2024-47867 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.22%.
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.
Exploitation Scenario
An adversary targeting an ML team compromises the CDN or DNS resolution for the Gradio FRP client download URL (or positions themselves as MITM on a corporate network). When a data scientist runs gradio.launch(share=True) to demo a new model, Gradio fetches the FRP binary and executes it without any hash check. The adversary's payload—a trojanized FRP binary—runs as the Python process user, giving immediate code execution on a machine that likely holds model weights, training datasets, Hugging Face tokens, and internal API credentials. Because Gradio demos are often short-lived, the compromise may go undetected while credentials are exfiltrated.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2023-34239 9.1 Gradio: path traversal + SSRF exposes model files & infra
Same package: gradio