AI Threat Alert AI Threat Alert

CVE-2024-48052: Gradio: SSRF in DownloadButton exposes internal resources

GHSA-3gf9-wv65-gwh9 MEDIUM PoC AVAILABLE CISA: TRACK*
Published November 4, 2024
CISO Take

Any Gradio deployment ≤4.42.0 with gr.DownloadButton can be abused by low-privileged users to pivot to internal services and cloud metadata endpoints — AWS/GCP IAM credential theft is a realistic one-step escalation. Gradio is ubiquitous on HuggingFace Spaces and internal ML platforms, making real-world exposure far wider than CVSS suggests. Patch immediately and enforce IMDSv2 on all cloud hosts running Gradio.

Risk Assessment

Despite a medium CVSS (6.5), real-world risk is elevated for AI/ML environments. Exploitation requires only low privileges and no user interaction over the network — effectively any authenticated visitor of a Gradio app qualifies. Cloud-hosted ML demo stacks (HuggingFace Spaces, internal serving portals) have direct access to IMDS endpoints, making SSRF → IAM credential theft a near-trivial one-step attack. EPSS of 0.00092 reflects current observed exploitation activity, not the inherent exploitability of this class of vulnerability.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio pip <= 4.42.0 No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

Recommended Action

5 steps

  1. Patch: Upgrade to Gradio >4.42.0 — verify patched version on PyPI before deploying.

  2. Workaround (if upgrade blocked): Remove or disable all gr.DownloadButton components from public-facing interfaces.

  3. Network egress control: Block outbound HTTP from Gradio server processes to 169.254.169.254, 169.254.170.2, 100.100.100.200, and RFC1918 ranges at the host or container level.

  4. IMDSv2 enforcement: Enable IMDSv2 (hop-limit=1) on all AWS EC2/ECS instances running Gradio to block SSRF-based metadata enumeration.

  5. Detection: Alert on outbound HTTP requests from Gradio processes targeting internal or metadata IPs; monitor server logs for download requests containing internal URL patterns (10.x, 172.16-31.x, 192.168.x, 169.254.x).

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Framework Inference AML.T0025 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.4 - System and application access control
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems and trustworthiness of their operations
OWASP LLM Top 10
LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-48052?

Any Gradio deployment ≤4.42.0 with gr.DownloadButton can be abused by low-privileged users to pivot to internal services and cloud metadata endpoints — AWS/GCP IAM credential theft is a realistic one-step escalation. Gradio is ubiquitous on HuggingFace Spaces and internal ML platforms, making real-world exposure far wider than CVSS suggests. Patch immediately and enforce IMDSv2 on all cloud hosts running Gradio.

Is CVE-2024-48052 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48052, increasing the risk of exploitation.

How to fix CVE-2024-48052?

1. Patch: Upgrade to Gradio >4.42.0 — verify patched version on PyPI before deploying. 2. Workaround (if upgrade blocked): Remove or disable all gr.DownloadButton components from public-facing interfaces. 3. Network egress control: Block outbound HTTP from Gradio server processes to 169.254.169.254, 169.254.170.2, 100.100.100.200, and RFC1918 ranges at the host or container level. 4. IMDSv2 enforcement: Enable IMDSv2 (hop-limit=1) on all AWS EC2/ECS instances running Gradio to block SSRF-based metadata enumeration. 5. Detection: Alert on outbound HTTP requests from Gradio processes targeting internal or metadata IPs; monitor server logs for download requests containing internal URL patterns (10.x, 172.16-31.x, 192.168.x, 169.254.x).

What systems are affected by CVE-2024-48052?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo platforms, training pipelines.

What is the CVSS score for CVE-2024-48052?

CVE-2024-48052 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.

Exploitation Scenario

An attacker with a free or trial account on any HuggingFace Space running Gradio ≤4.42.0 interacts with a gr.DownloadButton and submits the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/[role-name]. The Gradio server fetches this URL server-side via save_url_to_cache without any restriction, caches the response, and returns it to the attacker — yielding valid AWS IAM access keys and session tokens. The attacker then uses these credentials to enumerate and exfiltrate S3 buckets containing proprietary training datasets, fine-tuned model weights, and customer data. On GCP or Azure deployments, equivalent metadata endpoints yield comparable tokens. No AI/ML knowledge required; standard SSRF payloads apply directly.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
November 4, 2024
Last Modified
June 13, 2025
First Seen
November 4, 2024

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed