CVE-2024-47870 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

All Gradio deployments below v5.0.0 are vulnerable to a race condition that silently redirects user traffic—credentials, file uploads, model inputs—to an attacker-controlled server. Upgrade to Gradio 5.0.0 immediately; no workaround exists. Prioritize internet-exposed instances and those handling sensitive data (PII, medical images, proprietary model inputs).

Risk Assessment

CVSS 8.1 with AC:H reflects genuine exploitation complexity—race conditions require precise timing and network positioning, limiting opportunistic attacks. EPSS of 0.19% confirms low current exploitation activity. However, the no-privileges-required, no-user-interaction profile means automated exploitation is feasible for a determined adversary. Risk is materially elevated for internet-exposed Gradio deployments; internal instances on trusted networks face lower but non-zero risk. The absence of any workaround means patch is the only mitigation path.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 5.0.0	`5.0.0`
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 41% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Upgrade all Gradio installations to >=5.0.0 immediately—no workaround exists per the advisory.
Audit all ML infrastructure: run 'pip show gradio' or 'pip list | grep gradio' across all environments to identify vulnerable instances.
For internet-exposed deployments that cannot be patched immediately, restrict access to trusted IP ranges via WAF or firewall rules.
Review server logs for anomalous backend URL changes or unexpected request routing during the vulnerable window.
Rotate credentials (API keys, user passwords) that may have been submitted through affected Gradio interfaces.
Enforce Gradio >=5.0.0 as a minimum version requirement in CI/CD pipelines and container base images.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Auth Bypass Framework Inference AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 6.1.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47870?

All Gradio deployments below v5.0.0 are vulnerable to a race condition that silently redirects user traffic—credentials, file uploads, model inputs—to an attacker-controlled server. Upgrade to Gradio 5.0.0 immediately; no workaround exists. Prioritize internet-exposed instances and those handling sensitive data (PII, medical images, proprietary model inputs).

Is CVE-2024-47870 actively exploited?

No confirmed active exploitation of CVE-2024-47870 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47870?

1. Upgrade all Gradio installations to >=5.0.0 immediately—no workaround exists per the advisory. 2. Audit all ML infrastructure: run 'pip show gradio' or 'pip list | grep gradio' across all environments to identify vulnerable instances. 3. For internet-exposed deployments that cannot be patched immediately, restrict access to trusted IP ranges via WAF or firewall rules. 4. Review server logs for anomalous backend URL changes or unexpected request routing during the vulnerable window. 5. Rotate credentials (API keys, user passwords) that may have been submitted through affected Gradio interfaces. 6. Enforce Gradio >=5.0.0 as a minimum version requirement in CI/CD pipelines and container base images.

What systems are affected by CVE-2024-47870?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, inference APIs, internal ML tooling, LLM application frontends.

What is the CVSS score for CVE-2024-47870?

CVE-2024-47870 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies an internet-exposed Gradio v4.x deployment used as an inference UI for a document analysis LLM pipeline. By precisely timing a request during the server's configuration initialization—exploiting the race window in update_root_in_config—the attacker substitutes the legitimate backend URL with their own server before the configuration finalizes. Subsequent users accessing the Gradio interface submit documents and authentication tokens that are transparently proxied to the attacker's infrastructure. The attacker harvests valid API keys, proprietary documents, and model outputs, then uses the captured credentials for lateral movement into the broader MLOps environment.