CVE-2024-8021: Gradio open redirect exposes AI demo

Q: Is CVE-2024-8021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8021, increasing the risk of exploitation.

Q: How to fix CVE-2024-8021?

1. PATCH: Upgrade gradio beyond 4.37.2 — check PyPI for latest patched release (no fixed version listed in NVD as of publish date; monitor huntr advisory for patch confirmation). 2. WORKAROUND: If patching is blocked, deploy a reverse proxy (nginx/Cloudflare) with an allowlist of permitted redirect destinations. 3. RESTRICT: Remove public access to Gradio instances not intended for external use; enforce auth via SSO. 4. DETECT: Audit logs for 302 responses from Gradio endpoints containing encoded URL parameters (%2F, %3A patterns). Alert on redirects to external domains. 5. INVENTORY: Run 'pip show gradio' across ML workstations and CI environments to identify affected versions.

Q: What systems are affected by CVE-2024-8021?

This vulnerability affects the following AI/ML architecture patterns: ML model serving UIs, AI demo environments, Internal AI tooling portals, Agent frameworks with Gradio frontends.

Q: What is the CVSS score for CVE-2024-8021?

CVE-2024-8021 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 0.72%.

CISO Take

Gradio is the de facto standard for ML model demos and internal AI tooling UIs — if your teams expose Gradio publicly, attackers can craft URLs that silently redirect users to malicious sites after interacting with your app. Upgrade to a patched version immediately; if no patch is available for 4.37.2, restrict public access or add a reverse proxy with redirect validation. Risk is moderate but real: AI demo environments are soft targets with trusting internal users.

What is the risk?

CVSS 6.1 understates operational risk in AI contexts. Gradio is pervasively deployed as public-facing model demos and shared internally across data science teams — users have high trust in these URLs. Open redirect (CWE-601) is trivially exploitable with no auth required, and URL-encoding bypass suggests basic WAF evasion is built-in. EPSS 0.027 reflects low active exploitation today, but the attack surface (public ML demos, Hugging Face Spaces, internal tooling) is large. No patch version listed for pip package as of CVE publish date is a concern.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	<= 4.37.2	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 4d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

6.1 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

What should I do?

5 steps

PATCH

Upgrade gradio beyond 4.37.2 — check PyPI for latest patched release (no fixed version listed in NVD as of publish date; monitor huntr advisory for patch confirmation).
WORKAROUND

If patching is blocked, deploy a reverse proxy (nginx/Cloudflare) with an allowlist of permitted redirect destinations.
RESTRICT

Remove public access to Gradio instances not intended for external use; enforce auth via SSO.
DETECT

Audit logs for 302 responses from Gradio endpoints containing encoded URL parameters (%2F, %3A patterns). Alert on redirects to external domains.
INVENTORY

Run 'pip show gradio' across ML workstations and CI environments to identify affected versions.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Social Engineering Auth Bypass Framework API AML.T0011.003 - Malicious Link AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0052 - Phishing

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies for AI risk are established MANAGE 2.2 - Mechanisms for responding to and recovering from AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-8021?

Gradio is the de facto standard for ML model demos and internal AI tooling UIs — if your teams expose Gradio publicly, attackers can craft URLs that silently redirect users to malicious sites after interacting with your app. Upgrade to a patched version immediately; if no patch is available for 4.37.2, restrict public access or add a reverse proxy with redirect validation. Risk is moderate but real: AI demo environments are soft targets with trusting internal users.

Is CVE-2024-8021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8021, increasing the risk of exploitation.

How to fix CVE-2024-8021?

1. PATCH: Upgrade gradio beyond 4.37.2 — check PyPI for latest patched release (no fixed version listed in NVD as of publish date; monitor huntr advisory for patch confirmation). 2. WORKAROUND: If patching is blocked, deploy a reverse proxy (nginx/Cloudflare) with an allowlist of permitted redirect destinations. 3. RESTRICT: Remove public access to Gradio instances not intended for external use; enforce auth via SSO. 4. DETECT: Audit logs for 302 responses from Gradio endpoints containing encoded URL parameters (%2F, %3A patterns). Alert on redirects to external domains. 5. INVENTORY: Run 'pip show gradio' across ML workstations and CI environments to identify affected versions.

What systems are affected by CVE-2024-8021?

This vulnerability affects the following AI/ML architecture patterns: ML model serving UIs, AI demo environments, Internal AI tooling portals, Agent frameworks with Gradio frontends.

What is the CVSS score for CVE-2024-8021?

CVE-2024-8021 has a CVSS v3.1 base score of 6.1 (MEDIUM). The EPSS exploitation probability is 0.72%.

What is the AI security impact?

Affected AI Architectures

ML model serving UIsAI demo environmentsInternal AI tooling portalsAgent frameworks with Gradio frontends

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

AML.T0052 Phishing

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site.

Exploitation Scenario

Attacker identifies a public Gradio-based model demo (e.g., via Shodan, Hugging Face Spaces, or a company's public AI showcase). They craft a URL like `https://legitimate-ai-demo.company.com/redirect?url=https%3A%2F%2Fattacker.com%2Fharvest` and send it via phishing email or Slack to data scientists or ML engineers with existing trust in that domain. User clicks, interacts briefly with what appears to be the real app, then gets silently 302-redirected to a credential-harvesting clone of an internal SSO page or AI tool. Given that AI/ML teams routinely share Gradio demo links, this social engineering vector has high success probability.

Weaknesses (CWE)

CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Primary CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

CWE-601 — URL Redirection to Untrusted Site ('Open Redirect'): The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Source: MITRE CWE corpus.