AI Threat Alert AI Threat Alert

CVE-2024-47871: Gradio: cleartext MITM exposes ML demo data via share=True

GHSA-279j-x4gx-hfrh CRITICAL
Published October 10, 2024
CISO Take

Any ML team running Gradio with share=True over the internet is transmitting data in cleartext through an FRP tunnel — model inputs, outputs, and uploaded files are interceptable by any on-path adversary. Upgrade to gradio>=5.0.0 immediately; ban share=True in any environment handling sensitive data pending upgrade. CVSS 9.1 with no authentication or user interaction required makes this a straightforward target.

Risk Assessment

Critical severity (CVSS 9.1) with network-accessible attack vector, low complexity, and no privileges or user interaction required. EPSS is low (0.00083) indicating limited active exploitation so far, but the attack is trivial to execute for any on-path adversary. Risk is highest for ML teams using Gradio for internal demos on shared networks, cloud-hosted prototype endpoints, or any pipeline where share=True is used with sensitive model I/O (PII, proprietary data, healthcare inputs). The FRP tunnel architecture means traffic is exposed beyond the local network segment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio pip < 5.0.0 5.0.0
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade to gradio>=5.0.0 which enforces HTTPS on the FRP connection. Treat as urgent for any internet-facing deployment.

  2. DISABLE

    Remove share=True from all production and semi-production environments immediately. Use self-hosted deployments with proper TLS termination instead.

  3. SELF-HOST: Deploy Gradio behind a reverse proxy (nginx/Caddy) with valid TLS certificates on infrastructure you control.

  4. DETECT

    Audit current Gradio deployments with: grep -r 'share=True' across all ML repos and notebooks. Flag in CI/CD pipelines as a policy violation.

  5. NETWORK

    If share=True must remain temporarily, restrict access via VPN or IP allowlist at the network level to reduce on-path adversary surface.

  6. MONITOR

    Review logs from gradio.live endpoints for unexpected access patterns if share=True was in use prior to patching.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Privacy Violation Framework Inference API AML.T0025 AML.T0035 AML.T0040 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security in AI system development
NIST AI RMF
GOVERN-1.2 - Organizational risk and accountability for AI security MEASURE-2.5 - Cybersecurity and privacy risks for AI systems
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-47871?

Any ML team running Gradio with share=True over the internet is transmitting data in cleartext through an FRP tunnel — model inputs, outputs, and uploaded files are interceptable by any on-path adversary. Upgrade to gradio>=5.0.0 immediately; ban share=True in any environment handling sensitive data pending upgrade. CVSS 9.1 with no authentication or user interaction required makes this a straightforward target.

Is CVE-2024-47871 actively exploited?

No confirmed active exploitation of CVE-2024-47871 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47871?

1. PATCH: Upgrade to gradio>=5.0.0 which enforces HTTPS on the FRP connection. Treat as urgent for any internet-facing deployment. 2. DISABLE: Remove share=True from all production and semi-production environments immediately. Use self-hosted deployments with proper TLS termination instead. 3. SELF-HOST: Deploy Gradio behind a reverse proxy (nginx/Caddy) with valid TLS certificates on infrastructure you control. 4. DETECT: Audit current Gradio deployments with: grep -r 'share=True' across all ML repos and notebooks. Flag in CI/CD pipelines as a policy violation. 5. NETWORK: If share=True must remain temporarily, restrict access via VPN or IP allowlist at the network level to reduce on-path adversary surface. 6. MONITOR: Review logs from gradio.live endpoints for unexpected access patterns if share=True was in use prior to patching.

What systems are affected by CVE-2024-47871?

This vulnerability affects the following AI/ML architecture patterns: ML demo and prototyping environments, Model serving (Gradio-fronted inference endpoints), RAG pipelines (document upload interfaces), LLM chat frontends, Computer vision inference UIs.

What is the CVSS score for CVE-2024-47871?

CVE-2024-47871 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.

Exploitation Scenario

An adversary targeting an ML team's LLM-powered document processing demo intercepts traffic on a shared cloud subnet or coffee shop network where a data scientist is running a Gradio app with share=True to show a client. The app accepts document uploads and returns AI-generated summaries. Since the FRP tunnel lacks TLS, the attacker uses a standard MITM proxy (e.g., mitmproxy) to capture the cleartext HTTP stream — extracting every uploaded document in full and recording all model responses. They additionally inject modified responses that alter the model's output, causing the demo to show incorrect results that erode trust in the AI system. No authentication, no special tooling, and no AI/ML knowledge required — any network-capable attacker can execute this.

Weaknesses (CWE)

CWE-311 Primary CWE-311 Missing Encryption of Sensitive Data Primary CWE-311

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
October 10, 2024
Last Modified
January 21, 2025
First Seen
October 10, 2024

Related Vulnerabilities

CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed