AI Threat Alert
CVE-2024-4941: Gradio: LFI via JSON path key exposes server files
HIGH PoC AVAILABLE CISA: TRACK*Any internet-exposed Gradio instance ≤4.25 allows unauthenticated attackers to read arbitrary server files — including model weights, API keys, and .env configs — with a single crafted request. Patch to v4.26+ immediately and rotate all secrets on affected hosts. If Gradio fronted sensitive AI assets and was publicly reachable, treat as a confirmed compromise.
What is the risk?
CVSS 7.5 understates real-world impact. Gradio is pervasively deployed for ML demos, internal model UIs, and production inference frontends — frequently co-located with .env files holding OpenAI/HuggingFace/Anthropic API keys and model checkpoints. Zero authentication required, exploit is trivial, and a working PoC is publicly documented on HackerOne. The combination of broad Gradio adoption and high-value adjacent assets elevates this to critical operational risk for AI/ML teams.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Gradio | pip | — | No patch |
Do you use Gradio? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade to Gradio ≥4.26 immediately (fix commit: ee1e294).
-
Workaround: If patching is blocked, disable the JSON component or restrict the Gradio instance to internal networks via firewall.
-
Rotate credentials: Audit and rotate all API keys, tokens, and secrets on affected hosts — assume .env and config files were read if exposure window existed.
-
Detect exploitation: Search web server logs for requests matching /file=.*\.env, /file=.*/etc/, /file=.*id_rsa — unexpected paths outside the Gradio upload directory are indicators of exploitation.
-
Asset inventory: Enumerate all Gradio instances in your environment; prioritize internet-facing and those with filesystem access to sensitive AI assets.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-4941?
Any internet-exposed Gradio instance ≤4.25 allows unauthenticated attackers to read arbitrary server files — including model weights, API keys, and .env configs — with a single crafted request. Patch to v4.26+ immediately and rotate all secrets on affected hosts. If Gradio fronted sensitive AI assets and was publicly reachable, treat as a confirmed compromise.
Is CVE-2024-4941 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-4941, increasing the risk of exploitation.
How to fix CVE-2024-4941?
1. Patch: Upgrade to Gradio ≥4.26 immediately (fix commit: ee1e294). 2. Workaround: If patching is blocked, disable the JSON component or restrict the Gradio instance to internal networks via firewall. 3. Rotate credentials: Audit and rotate all API keys, tokens, and secrets on affected hosts — assume .env and config files were read if exposure window existed. 4. Detect exploitation: Search web server logs for requests matching /file=.*\.env, /file=.*/etc/, /file=.*id_rsa — unexpected paths outside the Gradio upload directory are indicators of exploitation. 5. Asset inventory: Enumerate all Gradio instances in your environment; prioritize internet-facing and those with filesystem access to sensitive AI assets.
What systems are affected by CVE-2024-4941?
This vulnerability affects the following AI/ML architecture patterns: model serving, ML demos and prototypes, inference endpoints.
What is the CVSS score for CVE-2024-4941?
CVE-2024-4941 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.83%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0025 Exfiltration via Cyber Means AML.T0035 AI Artifact Collection AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.
Exploitation Scenario
An attacker identifies an organization's public Gradio ML demo via Shodan or direct enumeration. They POST a crafted JSON payload to the JSON component endpoint containing {"path": "/app/.env"}, triggering move_files_to_cache() to copy the .env file to /tmp/gradio/[uuid]/.env. A subsequent GET to /file=/tmp/gradio/[uuid]/.env returns the file contents — exposing OPENAI_API_KEY, HUGGINGFACE_TOKEN, or database credentials. The attacker uses the extracted API keys to query production LLM APIs at the victim's cost, pivot to HuggingFace to exfiltrate private model weights, or use database credentials to access training data stores. No authentication, no special tooling — a single crafted HTTP request pairs with a follow-up fetch.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2024-4253 9.1 Gradio: CI/CD command injection enables secrets exfiltration
Same package: gradio