AI Threat Alert

CVE-2024-47871: Gradio: cleartext MITM exposes ML demo data via share=True

GHSA-279j-x4gx-hfrh CRITICAL
Published October 10, 2024
CISO Take

Any ML team running Gradio with share=True over the internet is transmitting data in cleartext through an FRP tunnel — model inputs, outputs, and uploaded files are interceptable by any on-path adversary. Upgrade to gradio>=5.0.0 immediately; ban share=True in any environment handling sensitive data pending upgrade. CVSS 9.1 with no authentication or user interaction required makes this a straightforward target.

What is the risk?

Critical severity (CVSS 9.1) with network-accessible attack vector, low complexity, and no privileges or user interaction required. EPSS is low (0.00083) indicating limited active exploitation so far, but the attack is trivial to execute for any on-path adversary. Risk is highest for ML teams using Gradio for internal demos on shared networks, cloud-hosted prototype endpoints, or any pipeline where share=True is used with sensitive model I/O (PII, proprietary data, healthcare inputs). The FRP tunnel architecture means traffic is exposed beyond the local network segment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio pip < 5.0.0 5.0.0
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 7% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

6 steps

  1. PATCH

    Upgrade to gradio>=5.0.0 which enforces HTTPS on the FRP connection. Treat as urgent for any internet-facing deployment.

  2. DISABLE

    Remove share=True from all production and semi-production environments immediately. Use self-hosted deployments with proper TLS termination instead.

  3. SELF-HOST: Deploy Gradio behind a reverse proxy (nginx/Caddy) with valid TLS certificates on infrastructure you control.

  4. DETECT

    Audit current Gradio deployments with: grep -r 'share=True' across all ML repos and notebooks. Flag in CI/CD pipelines as a policy violation.

  5. NETWORK

    If share=True must remain temporarily, restrict access via VPN or IP allowlist at the network level to reduce on-path adversary surface.

  6. MONITOR

    Review logs from gradio.live endpoints for unexpected access patterns if share=True was in use prior to patching.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Privacy Violation Framework Inference API AML.T0025 AML.T0035 AML.T0040 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security in AI system development
NIST AI RMF
GOVERN-1.2 - Organizational risk and accountability for AI security MEASURE-2.5 - Cybersecurity and privacy risks for AI systems
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47871?

Any ML team running Gradio with share=True over the internet is transmitting data in cleartext through an FRP tunnel — model inputs, outputs, and uploaded files are interceptable by any on-path adversary. Upgrade to gradio>=5.0.0 immediately; ban share=True in any environment handling sensitive data pending upgrade. CVSS 9.1 with no authentication or user interaction required makes this a straightforward target.

Is CVE-2024-47871 actively exploited?

No confirmed active exploitation of CVE-2024-47871 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47871?

1. PATCH: Upgrade to gradio>=5.0.0 which enforces HTTPS on the FRP connection. Treat as urgent for any internet-facing deployment. 2. DISABLE: Remove share=True from all production and semi-production environments immediately. Use self-hosted deployments with proper TLS termination instead. 3. SELF-HOST: Deploy Gradio behind a reverse proxy (nginx/Caddy) with valid TLS certificates on infrastructure you control. 4. DETECT: Audit current Gradio deployments with: grep -r 'share=True' across all ML repos and notebooks. Flag in CI/CD pipelines as a policy violation. 5. NETWORK: If share=True must remain temporarily, restrict access via VPN or IP allowlist at the network level to reduce on-path adversary surface. 6. MONITOR: Review logs from gradio.live endpoints for unexpected access patterns if share=True was in use prior to patching.

What systems are affected by CVE-2024-47871?

This vulnerability affects the following AI/ML architecture patterns: ML demo and prototyping environments, Model serving (Gradio-fronted inference endpoints), RAG pipelines (document upload interfaces), LLM chat frontends, Computer vision inference UIs.

What is the CVSS score for CVE-2024-47871?

CVE-2024-47871 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

ML demo and prototyping environmentsModel serving (Gradio-fronted inference endpoints)RAG pipelines (document upload interfaces)LLM chat frontendsComputer vision inference UIs

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN-1.2, MEASURE-2.5
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.

Exploitation Scenario

An adversary targeting an ML team's LLM-powered document processing demo intercepts traffic on a shared cloud subnet or coffee shop network where a data scientist is running a Gradio app with share=True to show a client. The app accepts document uploads and returns AI-generated summaries. Since the FRP tunnel lacks TLS, the attacker uses a standard MITM proxy (e.g., mitmproxy) to capture the cleartext HTTP stream — extracting every uploaded document in full and recording all model responses. They additionally inject modified responses that alter the model's output, causing the demo to show incorrect results that erode trust in the AI system. No authentication, no special tooling, and no AI/ML knowledge required — any network-capable attacker can execute this.

Weaknesses (CWE)

CWE-311 Missing Encryption of Sensitive Data Primary CWE-311 Missing Encryption of Sensitive Data Primary CWE-311 Missing Encryption of Sensitive Data

CWE-311 — Missing Encryption of Sensitive Data: The product does not encrypt sensitive or critical information before storage or transmission.

  • [Requirements] Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
  • [Architecture and Design] Ensure that encryption is properly integrated into the system design, including but not necessarily limited to: Identify the separate needs and contexts for encryption: Using threat modeling or other techniques, assume that data can be compromised through a separate vulnerability or weakness, and determine where encryption will be most effective. Ensure that data that should be private is not being inadvertently exposed using weaknesses such as insecure permissions (CWE-732). [REF-7] Encryption that is needed to store or transmit private data of the users of the system Encryption that is needed to protect the system itself from unauthorized disclosure or tampering One-way (i.e., only the user or recipient needs to have the key). This can be achieved using public key cryptography, or other techniques in which the encrypting party (i.e., the product) does not need to have access to a private key. Two-way (i.e., the encryption can be automatically performed on behalf of a user, but the ke

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
October 10, 2024
Last Modified
January 21, 2025
First Seen
October 10, 2024

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2024-4253 9.1

Gradio: CI/CD command injection enables secrets exfiltration

Same package: gradio
Back to Threat Feed