AI Threat Alert AI Threat Alert

CVE-2024-4940: Gradio: open redirect enables phishing against ML users

MEDIUM PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published June 22, 2024
CISO Take

This open redirect in Gradio allows attackers to craft trusted-looking URLs pointing to legitimate ML demos that silently forward users to attacker-controlled phishing pages. The primary risk is credential harvesting targeting ML engineers and data scientists who routinely share and click Gradio demo links via Slack, email, and HuggingFace Spaces. Patch Gradio to the latest version immediately and audit any externally exposed Gradio instances; internal-only deployments carry lower but non-zero risk if users trust intranet URLs.

Risk Assessment

Despite a medium CVSS score, the effective risk is elevated in AI/ML environments due to Gradio's ubiquity across HuggingFace Spaces, internal data science tooling, and prototype deployments. The Changed scope (S:C) indicates the vulnerability crosses the application security boundary. Exploitation requires zero technical skill — a single crafted URL suffices. The mitigating factor is required user interaction, but ML practitioners routinely share and click demo URLs, making social engineering trivial. No active exploitation in KEV, but the attack surface is massive.

Affected Systems

Package Ecosystem Vulnerable Range Patched
gradio pip No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1
6.1 / 10
EPSS
7.2%
chance of exploitation in 30 days
Higher than 92% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C Low
I Low
A None

Recommended Action

6 steps

  1. Patch: Upgrade Gradio to the latest patched version immediately (check release notes for fix commit).

  2. Inventory: Identify all internal and public-facing Gradio deployments, including HuggingFace Spaces.

  3. WAF/Proxy: Add URL validation rules blocking external redirect parameters at the WAF or reverse proxy layer.

  4. CSP Headers: Enforce Content-Security-Policy headers to limit redirect destinations.

  5. Detection: Monitor access logs for requests containing URL-encoded redirect parameters (e.g., ?next=, ?url=, ?redirect=) pointing to external domains.

  6. User Awareness: Alert ML/data science teams not to click Gradio links from untrusted sources; phishing via demo URLs is a realistic attack vector.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Social Engineering Privacy Violation Framework Inference AML.T0011.003 AML.T0048.003 AML.T0049 AML.T0052 AML.T0078

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system interfaces A.8.6 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place to address emerging risks in deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-4940?

This open redirect in Gradio allows attackers to craft trusted-looking URLs pointing to legitimate ML demos that silently forward users to attacker-controlled phishing pages. The primary risk is credential harvesting targeting ML engineers and data scientists who routinely share and click Gradio demo links via Slack, email, and HuggingFace Spaces. Patch Gradio to the latest version immediately and audit any externally exposed Gradio instances; internal-only deployments carry lower but non-zero risk if users trust intranet URLs.

Is CVE-2024-4940 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4940, increasing the risk of exploitation.

How to fix CVE-2024-4940?

1. Patch: Upgrade Gradio to the latest patched version immediately (check release notes for fix commit). 2. Inventory: Identify all internal and public-facing Gradio deployments, including HuggingFace Spaces. 3. WAF/Proxy: Add URL validation rules blocking external redirect parameters at the WAF or reverse proxy layer. 4. CSP Headers: Enforce Content-Security-Policy headers to limit redirect destinations. 5. Detection: Monitor access logs for requests containing URL-encoded redirect parameters (e.g., `?next=`, `?url=`, `?redirect=`) pointing to external domains. 6. User Awareness: Alert ML/data science teams not to click Gradio links from untrusted sources; phishing via demo URLs is a realistic attack vector.

What systems are affected by CVE-2024-4940?

This vulnerability affects the following AI/ML architecture patterns: ML demo/prototype deployments, Model serving with web UI, Internal data science tooling, HuggingFace Spaces deployments, AI application front-ends.

What is the CVSS score for CVE-2024-4940?

CVE-2024-4940 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 7.24%.

Technical Details

NVD Description

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.

Exploitation Scenario

An attacker identifies a public Gradio-based ML demo (HuggingFace Space or corporate internal portal). They craft a URL like `https://legitimate-gradio-app.example.com/?redirect=https://attacker-phishing-site.com/huggingface-login`. The URL is distributed via Slack, email, or a GitHub issue as 'check out this model demo.' The target clicks the link, sees the legitimate domain in their browser for a moment, and is silently redirected to a convincing HuggingFace or corporate SSO phishing page. Harvested credentials are then used for AI infrastructure access, model repository takeover, or lateral movement into cloud ML environments.

Weaknesses (CWE)

CWE-601

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Timeline

Published
June 22, 2024
Last Modified
July 29, 2025
First Seen
June 22, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-4940.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-47167 9.8

Gradio: unauthenticated SSRF in /queue/join, internal pivot

Same package: gradio
CRITICAL CVE-2024-39236 9.8

Gradio: code injection via component metadata (CVSS 9.8)

Same package: gradio
CRITICAL CVE-2023-25823 9.8

Gradio: hardcoded SSH key leaks via share=True demos

Same package: gradio
CRITICAL CVE-2024-0964 9.4

Gradio: unauthenticated LFI exposes full server filesystem

Same package: gradio
CRITICAL CVE-2023-34239 9.1

Gradio: path traversal + SSRF exposes model files & infra

Same package: gradio
Back to Threat Feed