AI Threat Alert AI Threat Alert

CVE-2024-47872: Gradio: stored XSS via malicious file upload

GHSA-gvv6-33j7-884g MEDIUM
Published October 10, 2024
CISO Take

Any Gradio deployment allowing file uploads is vulnerable to stored XSS — an authenticated user (insider, contractor, or compromised account) can upload a malicious HTML/SVG/JS file that executes in the browser of any user who views it, enabling session hijacking and credential theft. Upgrade to gradio>=5.0.0 immediately; if you cannot patch, block uploads of HTML, SVG, and JavaScript file types at the server. Audit your internal ML tooling — Gradio is pervasive in data science teams and often runs with broader internal network access than its exposure suggests.

Risk Assessment

Effective risk is higher than CVSS 5.4 suggests for AI-heavy organizations. Gradio is the de facto standard for ML model demos, internal evaluation interfaces, and collaborative prototyping — deployments frequently run on internal networks with access to model artifacts, training data, and infrastructure credentials. The authenticated requirement (PR:L) is a low bar: AI teams routinely share Gradio instances with contractors, partners, and large internal groups. EPSS of 0.0025 reflects limited public exploitation, but the attack requires no AI/ML expertise — any web attacker can exploit this. The real risk is lateral movement from a compromised Gradio session into ML infrastructure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio pip < 5.0.0 5.0.0
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 48% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI Required
S Changed
C Low
I Low
A None

Recommended Action

6 steps

  1. Patch: upgrade to gradio>=5.0.0 — this is the only complete fix.

  2. If patching is blocked: restrict accepted MIME types server-side to images, CSV, and plain text; reject HTML, SVG, JS, and XML.

  3. Implement Content Security Policy (CSP) headers on all Gradio deployments to limit script execution scope.

  4. Audit existing uploaded files in your Gradio instance for malicious content (look for <script>, javascript:, onload= patterns in SVG/HTML files).

  5. Review who has upload access — reduce to minimum necessary.

  6. For detection: alert on uploads of HTML/SVG/JS file types; monitor for unusual session activity following file downloads.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Framework Inference AML.T0011 AML.T0012 AML.T0025 AML.T0048.003 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security testing and vulnerability management
NIST AI RMF
MANAGE 2.4 - Residual risks from AI system operation are managed
OWASP LLM Top 10
LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2024-47872?

Any Gradio deployment allowing file uploads is vulnerable to stored XSS — an authenticated user (insider, contractor, or compromised account) can upload a malicious HTML/SVG/JS file that executes in the browser of any user who views it, enabling session hijacking and credential theft. Upgrade to gradio>=5.0.0 immediately; if you cannot patch, block uploads of HTML, SVG, and JavaScript file types at the server. Audit your internal ML tooling — Gradio is pervasive in data science teams and often runs with broader internal network access than its exposure suggests.

Is CVE-2024-47872 actively exploited?

No confirmed active exploitation of CVE-2024-47872 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-47872?

1. Patch: upgrade to gradio>=5.0.0 — this is the only complete fix. 2. If patching is blocked: restrict accepted MIME types server-side to images, CSV, and plain text; reject HTML, SVG, JS, and XML. 3. Implement Content Security Policy (CSP) headers on all Gradio deployments to limit script execution scope. 4. Audit existing uploaded files in your Gradio instance for malicious content (look for <script>, javascript:, onload= patterns in SVG/HTML files). 5. Review who has upload access — reduce to minimum necessary. 6. For detection: alert on uploads of HTML/SVG/JS file types; monitor for unusual session activity following file downloads.

What systems are affected by CVE-2024-47872?

This vulnerability affects the following AI/ML architecture patterns: ML prototyping platforms, model demo interfaces, internal AI tooling, model evaluation platforms, collaborative data annotation pipelines.

What is the CVSS score for CVE-2024-47872?

CVE-2024-47872 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.25%.

Technical Details

NVD Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads, particularly those using components that process or display user-uploaded files. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can restrict the types of files that can be uploaded to the Gradio server by limiting uploads to non-executable file types such as images or text. Additionally, developers can implement server-side validation to sanitize uploaded files, ensuring that HTML, JavaScript, and SVG files are properly handled or rejected before being stored or displayed to users.

Exploitation Scenario

A red-teamer or malicious insider with basic Gradio access uploads a crafted SVG file containing an embedded JavaScript payload to a shared model evaluation interface. The payload exfiltrates the document.cookie (session token) to an attacker-controlled endpoint via a fetch() call. When a senior ML engineer opens the file to review it, their session token is silently stolen. The attacker replays the token to access the Gradio backend, which has environment variables containing OpenAI/Anthropic API keys and S3 paths to proprietary fine-tuned model weights. No AI/ML expertise required — standard stored XSS tooling works out of the box.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-79

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
October 10, 2024
Last Modified
January 21, 2025
First Seen
October 10, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed