CVE-2024-47868 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2024-47868 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-47868, increasing the risk of exploitation.

Q: How to fix CVE-2024-47868?

1. PATCH: Upgrade all Gradio deployments to ≥5.0.0 — no workarounds exist per the advisory. 2. AUDIT: Inventory all Gradio instances by scanning requirements.txt, pyproject.toml, and Pipfile across repos and CI/CD pipelines. 3. ISOLATE: Until patched, restrict Gradio endpoint access via firewall rules or VPN; remove all public exposure. 4. ROTATE: If an instance was publicly accessible at any point, assume server-side credentials are compromised — rotate API keys, SSH keys, and database passwords immediately. 5. DETECT: Review web access logs for path traversal patterns (../, %2f, /etc/, /root/, /.ssh/, /.env) targeting Gradio API and component endpoints.

Q: What systems are affected by CVE-2024-47868?

This vulnerability affects the following AI/ML architecture patterns: ML UI/demo interfaces, model serving, inference APIs, internal ML tooling, agent frameworks.

Q: What is the CVSS score for CVE-2024-47868?

CVE-2024-47868 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.20%.

CISO Take

Any Gradio deployment older than v5.0.0 with network exposure is vulnerable to unauthenticated arbitrary file reads — including SSH keys, API credentials, and model configs. Upgrade to Gradio ≥5.0.0 immediately; no workarounds exist. Audit every Gradio instance in your environment including internal ML demos, inference UIs, and Hugging Face Spaces — then rotate credentials on any instance that was publicly accessible.

Risk Assessment

High severity (CVSS 7.5) with near-zero exploitation complexity: no authentication, no user interaction, network-accessible, low attack complexity. EPSS is currently low (0.2%) but Gradio's ubiquity in ML prototyping pipelines and the trivial exploit mechanics make this a high-priority patch target. Risk compounds significantly when instances are internet-facing or when combined with TOB-GRADIO-15. Primary at-risk assets are cloud API keys, SSH private keys, and proprietary model artifacts stored server-side.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 5.0.0	`5.0.0`
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade all Gradio deployments to ≥5.0.0 — no workarounds exist per the advisory.
AUDIT

Inventory all Gradio instances by scanning requirements.txt, pyproject.toml, and Pipfile across repos and CI/CD pipelines.
ISOLATE

Until patched, restrict Gradio endpoint access via firewall rules or VPN; remove all public exposure.
ROTATE

If an instance was publicly accessible at any point, assume server-side credentials are compromised — rotate API keys, SSH keys, and database passwords immediately.
DETECT

Review web access logs for path traversal patterns (../, %2f, /etc/, /root/, /.ssh/, /.env) targeting Gradio API and component endpoints.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk Management System

ISO 42001

A.6.1.2 - AI risk assessment A.9.1 - Information security in AI system development

NIST AI RMF

GOVERN-1.2 - Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to manage risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47868?

Any Gradio deployment older than v5.0.0 with network exposure is vulnerable to unauthenticated arbitrary file reads — including SSH keys, API credentials, and model configs. Upgrade to Gradio ≥5.0.0 immediately; no workarounds exist. Audit every Gradio instance in your environment including internal ML demos, inference UIs, and Hugging Face Spaces — then rotate credentials on any instance that was publicly accessible.

Is CVE-2024-47868 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-47868, increasing the risk of exploitation.

How to fix CVE-2024-47868?

1. PATCH: Upgrade all Gradio deployments to ≥5.0.0 — no workarounds exist per the advisory. 2. AUDIT: Inventory all Gradio instances by scanning requirements.txt, pyproject.toml, and Pipfile across repos and CI/CD pipelines. 3. ISOLATE: Until patched, restrict Gradio endpoint access via firewall rules or VPN; remove all public exposure. 4. ROTATE: If an instance was publicly accessible at any point, assume server-side credentials are compromised — rotate API keys, SSH keys, and database passwords immediately. 5. DETECT: Review web access logs for path traversal patterns (../, %2f, /etc/, /root/, /.ssh/, /.env) targeting Gradio API and component endpoints.

What systems are affected by CVE-2024-47868?

This vulnerability affects the following AI/ML architecture patterns: ML UI/demo interfaces, model serving, inference APIs, internal ML tooling, agent frameworks.

What is the CVSS score for CVE-2024-47868?

CVE-2024-47868 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those that return or handle file data. Vulnerable Components: 1. **String to FileData:** DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton. 2. **Complex data to FileData:** Chatbot, MultimodalTextbox. 3. **Direct file read in preprocess:** Code. 4. **Dictionary converted to FileData:** ParamViewer, Dataset. Exploit Scenarios: 1. A developer creates a Dropdown list that passes values to a DownloadButton. An attacker bypasses the allowed inputs, sends an arbitrary file path (like `/etc/passwd`), and downloads sensitive files. 2. An attacker crafts a malicious payload in a ParamViewer component, leaking sensitive files from a server through the arbitrary file leak. This issue has been resolved in `gradio>5.0`. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.

Exploitation Scenario

An attacker enumerates publicly accessible Gradio inference UIs (common in ML teams using them for demos or internal tooling). They identify a DownloadButton or Chatbot component endpoint and craft a POST request substituting the expected file path with '/app/.env' or '/home/user/.ssh/id_rsa'. The server's post-processing step returns file contents without path validation. The attacker harvests cloud API keys (OpenAI, AWS, GCP) to pivot into cloud infrastructure or exfiltrate proprietary model weights, then uses recovered SSH keys for persistent server access — all without authentication.