AI Threat Alert

CVE-2024-4940: Gradio: open redirect enables phishing against ML users

MEDIUM PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published June 22, 2024
CISO Take

This open redirect in Gradio allows attackers to craft trusted-looking URLs pointing to legitimate ML demos that silently forward users to attacker-controlled phishing pages. The primary risk is credential harvesting targeting ML engineers and data scientists who routinely share and click Gradio demo links via Slack, email, and HuggingFace Spaces. Patch Gradio to the latest version immediately and audit any externally exposed Gradio instances; internal-only deployments carry lower but non-zero risk if users trust intranet URLs.

What is the risk?

Despite a medium CVSS score, the effective risk is elevated in AI/ML environments due to Gradio's ubiquity across HuggingFace Spaces, internal data science tooling, and prototype deployments. The Changed scope (S:C) indicates the vulnerability crosses the application security boundary. Exploitation requires zero technical skill — a single crafted URL suffices. The mitigating factor is required user interaction, but ML practitioners routinely share and click demo URLs, making social engineering trivial. No active exploitation in KEV, but the attack surface is massive.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Gradio pip No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

Do you use Gradio? You're affected.

How severe is it?

CVSS 3.1
6.1 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 59% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. Patch: Upgrade Gradio to the latest patched version immediately (check release notes for fix commit).

  2. Inventory: Identify all internal and public-facing Gradio deployments, including HuggingFace Spaces.

  3. WAF/Proxy: Add URL validation rules blocking external redirect parameters at the WAF or reverse proxy layer.

  4. CSP Headers: Enforce Content-Security-Policy headers to limit redirect destinations.

  5. Detection: Monitor access logs for requests containing URL-encoded redirect parameters (e.g., ?next=, ?url=, ?redirect=) pointing to external domains.

  6. User Awareness: Alert ML/data science teams not to click Gradio links from untrusted sources; phishing via demo URLs is a realistic attack vector.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Social Engineering Privacy Violation Framework Inference AML.T0011.003 AML.T0048.003 AML.T0049 AML.T0052 AML.T0078

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system interfaces A.8.6 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place to address emerging risks in deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-4940?

This open redirect in Gradio allows attackers to craft trusted-looking URLs pointing to legitimate ML demos that silently forward users to attacker-controlled phishing pages. The primary risk is credential harvesting targeting ML engineers and data scientists who routinely share and click Gradio demo links via Slack, email, and HuggingFace Spaces. Patch Gradio to the latest version immediately and audit any externally exposed Gradio instances; internal-only deployments carry lower but non-zero risk if users trust intranet URLs.

Is CVE-2024-4940 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4940, increasing the risk of exploitation.

How to fix CVE-2024-4940?

1. Patch: Upgrade Gradio to the latest patched version immediately (check release notes for fix commit). 2. Inventory: Identify all internal and public-facing Gradio deployments, including HuggingFace Spaces. 3. WAF/Proxy: Add URL validation rules blocking external redirect parameters at the WAF or reverse proxy layer. 4. CSP Headers: Enforce Content-Security-Policy headers to limit redirect destinations. 5. Detection: Monitor access logs for requests containing URL-encoded redirect parameters (e.g., `?next=`, `?url=`, `?redirect=`) pointing to external domains. 6. User Awareness: Alert ML/data science teams not to click Gradio links from untrusted sources; phishing via demo URLs is a realistic attack vector.

What systems are affected by CVE-2024-4940?

This vulnerability affects the following AI/ML architecture patterns: ML demo/prototype deployments, Model serving with web UI, Internal data science tooling, HuggingFace Spaces deployments, AI application front-ends.

What is the CVSS score for CVE-2024-4940?

CVE-2024-4940 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 1.02%.

What is the AI security impact?

Affected AI Architectures

ML demo/prototype deploymentsModel serving with web UIInternal data science toolingHuggingFace Spaces deploymentsAI application front-ends

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application
AML.T0052 Phishing
AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6, A.8.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.

Exploitation Scenario

An attacker identifies a public Gradio-based ML demo (HuggingFace Space or corporate internal portal). They craft a URL like `https://legitimate-gradio-app.example.com/?redirect=https://attacker-phishing-site.com/huggingface-login`. The URL is distributed via Slack, email, or a GitHub issue as 'check out this model demo.' The target clicks the link, sees the legitimate domain in their browser for a moment, and is silently redirected to a convincing HuggingFace or corporate SSO phishing page. Harvested credentials are then used for AI infrastructure access, model repository takeover, or lateral movement into cloud ML environments.

Weaknesses (CWE)

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CWE-601 — URL Redirection to Untrusted Site ('Open Redirect'): The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
June 22, 2024
Last Modified
July 29, 2025
First Seen
June 22, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-4940.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed