AI Threat Alert
CVE-2024-4941: Gradio: LFI via JSON path key exposes server files
HIGH PoC AVAILABLE CISA: TRACK*Any internet-exposed Gradio instance ≤4.25 allows unauthenticated attackers to read arbitrary server files — including model weights, API keys, and .env configs — with a single crafted request. Patch to v4.26+ immediately and rotate all secrets on affected hosts. If Gradio fronted sensitive AI assets and was publicly reachable, treat as a confirmed compromise.
Risk Assessment
CVSS 7.5 understates real-world impact. Gradio is pervasively deployed for ML demos, internal model UIs, and production inference frontends — frequently co-located with .env files holding OpenAI/HuggingFace/Anthropic API keys and model checkpoints. Zero authentication required, exploit is trivial, and a working PoC is publicly documented on HackerOne. The combination of broad Gradio adoption and high-value adjacent assets elevates this to critical operational risk for AI/ML teams.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | — | No patch |
Do you use gradio? You're affected.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Patch: Upgrade to Gradio ≥4.26 immediately (fix commit: ee1e294).
-
Workaround: If patching is blocked, disable the JSON component or restrict the Gradio instance to internal networks via firewall.
-
Rotate credentials: Audit and rotate all API keys, tokens, and secrets on affected hosts — assume .env and config files were read if exposure window existed.
-
Detect exploitation: Search web server logs for requests matching /file=.*\.env, /file=.*/etc/, /file=.*id_rsa — unexpected paths outside the Gradio upload directory are indicators of exploitation.
-
Asset inventory: Enumerate all Gradio instances in your environment; prioritize internet-facing and those with filesystem access to sensitive AI assets.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-4941?
Any internet-exposed Gradio instance ≤4.25 allows unauthenticated attackers to read arbitrary server files — including model weights, API keys, and .env configs — with a single crafted request. Patch to v4.26+ immediately and rotate all secrets on affected hosts. If Gradio fronted sensitive AI assets and was publicly reachable, treat as a confirmed compromise.
Is CVE-2024-4941 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-4941, increasing the risk of exploitation.
How to fix CVE-2024-4941?
1. Patch: Upgrade to Gradio ≥4.26 immediately (fix commit: ee1e294). 2. Workaround: If patching is blocked, disable the JSON component or restrict the Gradio instance to internal networks via firewall. 3. Rotate credentials: Audit and rotate all API keys, tokens, and secrets on affected hosts — assume .env and config files were read if exposure window existed. 4. Detect exploitation: Search web server logs for requests matching /file=.*\.env, /file=.*/etc/, /file=.*id_rsa — unexpected paths outside the Gradio upload directory are indicators of exploitation. 5. Asset inventory: Enumerate all Gradio instances in your environment; prioritize internet-facing and those with filesystem access to sensitive AI assets.
What systems are affected by CVE-2024-4941?
This vulnerability affects the following AI/ML architecture patterns: model serving, ML demos and prototypes, inference endpoints.
What is the CVSS score for CVE-2024-4941?
CVE-2024-4941 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.69%.
Technical Details
NVD Description
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.
Exploitation Scenario
An attacker identifies an organization's public Gradio ML demo via Shodan or direct enumeration. They POST a crafted JSON payload to the JSON component endpoint containing {"path": "/app/.env"}, triggering move_files_to_cache() to copy the .env file to /tmp/gradio/[uuid]/.env. A subsequent GET to /file=/tmp/gradio/[uuid]/.env returns the file contents — exposing OPENAI_API_KEY, HUGGINGFACE_TOKEN, or database credentials. The attacker uses the extracted API keys to query production LLM APIs at the victim's cost, pivot to HuggingFace to exfiltrate private model weights, or use database credentials to access training data stores. No authentication, no special tooling — a single crafted HTTP request pairs with a follow-up fetch.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2023-34239 9.1 Gradio: path traversal + SSRF exposes model files & infra
Same package: gradio