CVE-2024-47870: Gradio race condition enables backend

CISO Take

All Gradio deployments below v5.0.0 are vulnerable to a race condition that silently redirects user traffic—credentials, file uploads, model inputs—to an attacker-controlled server. Upgrade to Gradio 5.0.0 immediately; no workaround exists. Prioritize internet-exposed instances and those handling sensitive data (PII, medical images, proprietary model inputs).

What is the risk?

CVSS 8.1 with AC:H reflects genuine exploitation complexity—race conditions require precise timing and network positioning, limiting opportunistic attacks. EPSS of 0.19% confirms low current exploitation activity. However, the no-privileges-required, no-user-interaction profile means automated exploitation is feasible for a determined adversary. Risk is materially elevated for internet-exposed Gradio deployments; internal instances on trusted networks face lower but non-zero risk. The absence of any workaround means patch is the only mitigation path.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	< 5.0.0	`5.0.0`
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade all Gradio installations to >=5.0.0 immediately—no workaround exists per the advisory.
Audit all ML infrastructure: run 'pip show gradio' or 'pip list | grep gradio' across all environments to identify vulnerable instances.
For internet-exposed deployments that cannot be patched immediately, restrict access to trusted IP ranges via WAF or firewall rules.
Review server logs for anomalous backend URL changes or unexpected request routing during the vulnerable window.
Rotate credentials (API keys, user passwords) that may have been submitted through affected Gradio interfaces.
Enforce Gradio >=5.0.0 as a minimum version requirement in CI/CD pipelines and container base images.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Auth Bypass Framework Inference AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 6.1.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47870?

All Gradio deployments below v5.0.0 are vulnerable to a race condition that silently redirects user traffic—credentials, file uploads, model inputs—to an attacker-controlled server. Upgrade to Gradio 5.0.0 immediately; no workaround exists. Prioritize internet-exposed instances and those handling sensitive data (PII, medical images, proprietary model inputs).

Is CVE-2024-47870 actively exploited?

No confirmed active exploitation of CVE-2024-47870 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47870?

1. Upgrade all Gradio installations to >=5.0.0 immediately—no workaround exists per the advisory. 2. Audit all ML infrastructure: run 'pip show gradio' or 'pip list | grep gradio' across all environments to identify vulnerable instances. 3. For internet-exposed deployments that cannot be patched immediately, restrict access to trusted IP ranges via WAF or firewall rules. 4. Review server logs for anomalous backend URL changes or unexpected request routing during the vulnerable window. 5. Rotate credentials (API keys, user passwords) that may have been submitted through affected Gradio interfaces. 6. Enforce Gradio >=5.0.0 as a minimum version requirement in CI/CD pipelines and container base images.

What systems are affected by CVE-2024-47870?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, inference APIs, internal ML tooling, LLM application frontends.

What is the CVSS score for CVE-2024-47870?

CVE-2024-47870 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

model servingML demo platformsinference APIsinternal ML toolingLLM application frontends

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: Clause 6.1.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.

Exploitation Scenario

An adversary identifies an internet-exposed Gradio v4.x deployment used as an inference UI for a document analysis LLM pipeline. By precisely timing a request during the server's configuration initialization—exploiting the race window in update_root_in_config—the attacker substitutes the legitimate backend URL with their own server before the configuration finalizes. Subsequent users accessing the Gradio interface submit documents and authentication tokens that are transparently proxied to the attacker's infrastructure. The attacker harvests valid API keys, proprietary documents, and model outputs, then uses the captured credentials for lateral movement into the broader MLOps environment.

Weaknesses (CWE)

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Primary CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'): The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

[Architecture and Design] In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
[Architecture and Design] Use thread-safe capabilities such as the data access abstraction in Spring.

Source: MITRE CWE corpus.