CVE-2024-47868: Gradio path traversal leaks arbitrary

Q: Is CVE-2024-47868 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-47868, increasing the risk of exploitation.

Q: How to fix CVE-2024-47868?

1. PATCH: Upgrade all Gradio deployments to ≥5.0.0 — no workarounds exist per the advisory. 2. AUDIT: Inventory all Gradio instances by scanning requirements.txt, pyproject.toml, and Pipfile across repos and CI/CD pipelines. 3. ISOLATE: Until patched, restrict Gradio endpoint access via firewall rules or VPN; remove all public exposure. 4. ROTATE: If an instance was publicly accessible at any point, assume server-side credentials are compromised — rotate API keys, SSH keys, and database passwords immediately. 5. DETECT: Review web access logs for path traversal patterns (../, %2f, /etc/, /root/, /.ssh/, /.env) targeting Gradio API and component endpoints.

Q: What systems are affected by CVE-2024-47868?

This vulnerability affects the following AI/ML architecture patterns: ML UI/demo interfaces, model serving, inference APIs, internal ML tooling, agent frameworks.

Q: What is the CVSS score for CVE-2024-47868?

CVE-2024-47868 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.80%.

CISO Take

Any Gradio deployment older than v5.0.0 with network exposure is vulnerable to unauthenticated arbitrary file reads — including SSH keys, API credentials, and model configs. Upgrade to Gradio ≥5.0.0 immediately; no workarounds exist. Audit every Gradio instance in your environment including internal ML demos, inference UIs, and Hugging Face Spaces — then rotate credentials on any instance that was publicly accessible.

What is the risk?

High severity (CVSS 7.5) with near-zero exploitation complexity: no authentication, no user interaction, network-accessible, low attack complexity. EPSS is currently low (0.2%) but Gradio's ubiquity in ML prototyping pipelines and the trivial exploit mechanics make this a high-priority patch target. Risk compounds significantly when instances are internet-facing or when combined with TOB-GRADIO-15. Primary at-risk assets are cloud API keys, SSH private keys, and proprietary model artifacts stored server-side.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	< 5.0.0	`5.0.0`
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 52% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade all Gradio deployments to ≥5.0.0 — no workarounds exist per the advisory.
AUDIT

Inventory all Gradio instances by scanning requirements.txt, pyproject.toml, and Pipfile across repos and CI/CD pipelines.
ISOLATE

Until patched, restrict Gradio endpoint access via firewall rules or VPN; remove all public exposure.
ROTATE

If an instance was publicly accessible at any point, assume server-side credentials are compromised — rotate API keys, SSH keys, and database passwords immediately.
DETECT

Review web access logs for path traversal patterns (../, %2f, /etc/, /root/, /.ssh/, /.env) targeting Gradio API and component endpoints.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk Management System

ISO 42001

A.6.1.2 - AI risk assessment A.9.1 - Information security in AI system development

NIST AI RMF

GOVERN-1.2 - Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and to manage risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47868?

Any Gradio deployment older than v5.0.0 with network exposure is vulnerable to unauthenticated arbitrary file reads — including SSH keys, API credentials, and model configs. Upgrade to Gradio ≥5.0.0 immediately; no workarounds exist. Audit every Gradio instance in your environment including internal ML demos, inference UIs, and Hugging Face Spaces — then rotate credentials on any instance that was publicly accessible.

Is CVE-2024-47868 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-47868, increasing the risk of exploitation.

How to fix CVE-2024-47868?

1. PATCH: Upgrade all Gradio deployments to ≥5.0.0 — no workarounds exist per the advisory. 2. AUDIT: Inventory all Gradio instances by scanning requirements.txt, pyproject.toml, and Pipfile across repos and CI/CD pipelines. 3. ISOLATE: Until patched, restrict Gradio endpoint access via firewall rules or VPN; remove all public exposure. 4. ROTATE: If an instance was publicly accessible at any point, assume server-side credentials are compromised — rotate API keys, SSH keys, and database passwords immediately. 5. DETECT: Review web access logs for path traversal patterns (../, %2f, /etc/, /root/, /.ssh/, /.env) targeting Gradio API and component endpoints.

What systems are affected by CVE-2024-47868?

This vulnerability affects the following AI/ML architecture patterns: ML UI/demo interfaces, model serving, inference APIs, internal ML tooling, agent frameworks.

What is the CVSS score for CVE-2024-47868?

CVE-2024-47868 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.80%.

What is the AI security impact?

Affected AI Architectures

ML UI/demo interfacesmodel servinginference APIsinternal ML toolingagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15, Art.9

ISO 42001: A.6.1.2, A.9.1

NIST AI RMF: GOVERN-1.2, MANAGE-2.2

OWASP LLM Top 10: LLM05, LLM06

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those that return or handle file data. Vulnerable Components: 1. **String to FileData:** DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton. 2. **Complex data to FileData:** Chatbot, MultimodalTextbox. 3. **Direct file read in preprocess:** Code. 4. **Dictionary converted to FileData:** ParamViewer, Dataset. Exploit Scenarios: 1. A developer creates a Dropdown list that passes values to a DownloadButton. An attacker bypasses the allowed inputs, sends an arbitrary file path (like `/etc/passwd`), and downloads sensitive files. 2. An attacker crafts a malicious payload in a ParamViewer component, leaking sensitive files from a server through the arbitrary file leak. This issue has been resolved in `gradio>5.0`. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.

Exploitation Scenario

An attacker enumerates publicly accessible Gradio inference UIs (common in ML teams using them for demos or internal tooling). They identify a DownloadButton or Chatbot component endpoint and craft a POST request substituting the expected file path with '/app/.env' or '/home/user/.ssh/id_rsa'. The server's post-processing step returns file contents without path validation. The attacker harvests cloud API keys (OpenAI, AWS, GCP) to pivot into cloud infrastructure or exfiltrate proprietary model weights, then uses recovered SSH keys for persistent server access — all without authentication.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.