CVE-2024-8966 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2024-8966 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8966, increasing the risk of exploitation.

Q: How to fix CVE-2024-8966?

1. Patch: Upgrade Gradio to a version beyond 5.22.0; the fix commit f1718c47 is referenced upstream — verify your installed version against the patched release. 2. Network controls: Place a WAF or reverse proxy in front of Gradio with strict multipart boundary length limits and request rate-limiting per IP. 3. Access restriction: If Gradio is not required to be public, enforce network-level access controls (VPN, allowlist) immediately. 4. Detection: Alert on abnormally high CPU utilization from the Gradio process and repeated HTTP 499/503 responses on upload endpoints. 5. Inventory: Enumerate all Gradio instances across dev, staging, and prod environments — HuggingFace Spaces deployments are included in scope.

Q: What systems are affected by CVE-2024-8966?

This vulnerability affects the following AI/ML architecture patterns: ML model serving UI, LLM playground interfaces, AI demo deployments, Internal AI tooling portals, Human-in-the-loop review pipelines.

Q: What is the CVSS score for CVE-2024-8966?

CVE-2024-8966 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.29%.

CISO Take

Any Gradio deployment at or below version 5.22.0 is exploitable by unauthenticated remote attackers with a single crafted file upload request, rendering ML demos and internal AI tooling inaccessible. Patch to the latest Gradio release immediately and audit your AI system inventory for externally-exposed Gradio instances. As an interim control, enforce WAF rate-limiting and payload size restrictions on multipart upload endpoints.

Risk Assessment

Risk is elevated for organizations running Gradio as a public-facing ML demo or internal AI tooling interface. CVSS 7.5 with no authentication, no user interaction, and network-accessible attack vector makes this trivially exploitable. EPSS of 0.00221 suggests limited current exploitation activity, and no CISA KEV listing confirms no observed mass exploitation. However, the attack requires zero specialized knowledge and can be automated, making it attractive for disruption campaigns targeting AI teams during critical model evaluation or deployment windows.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	<= 5.22.0	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
video	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 52% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade Gradio to a version beyond 5.22.0; the fix commit f1718c47 is referenced upstream — verify your installed version against the patched release.
Network controls: Place a WAF or reverse proxy in front of Gradio with strict multipart boundary length limits and request rate-limiting per IP.
Access restriction: If Gradio is not required to be public, enforce network-level access controls (VPN, allowlist) immediately.
Detection: Alert on abnormally high CPU utilization from the Gradio process and repeated HTTP 499/503 responses on upload endpoints.
Inventory: Enumerate all Gradio instances across dev, staging, and prod environments — HuggingFace Spaces deployments are included in scope.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Availability and resilience of AI systems

NIST AI RMF

GOVERN 1.7 - Processes for tracking AI risks MANAGE 4.1 - Response to negative AI system impacts

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-8966?

Any Gradio deployment at or below version 5.22.0 is exploitable by unauthenticated remote attackers with a single crafted file upload request, rendering ML demos and internal AI tooling inaccessible. Patch to the latest Gradio release immediately and audit your AI system inventory for externally-exposed Gradio instances. As an interim control, enforce WAF rate-limiting and payload size restrictions on multipart upload endpoints.

Is CVE-2024-8966 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8966, increasing the risk of exploitation.

How to fix CVE-2024-8966?

1. Patch: Upgrade Gradio to a version beyond 5.22.0; the fix commit f1718c47 is referenced upstream — verify your installed version against the patched release. 2. Network controls: Place a WAF or reverse proxy in front of Gradio with strict multipart boundary length limits and request rate-limiting per IP. 3. Access restriction: If Gradio is not required to be public, enforce network-level access controls (VPN, allowlist) immediately. 4. Detection: Alert on abnormally high CPU utilization from the Gradio process and repeated HTTP 499/503 responses on upload endpoints. 5. Inventory: Enumerate all Gradio instances across dev, staging, and prod environments — HuggingFace Spaces deployments are included in scope.

What systems are affected by CVE-2024-8966?

This vulnerability affects the following AI/ML architecture patterns: ML model serving UI, LLM playground interfaces, AI demo deployments, Internal AI tooling portals, Human-in-the-loop review pipelines.

What is the CVSS score for CVE-2024-8966?

CVE-2024-8966 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.29%.

Technical Details

NVD Description

A vulnerability in the file upload process of gradio-app/gradio version @gradio/video@0.10.2 allows for a Denial of Service (DoS) attack. An attacker can append a large number of characters to the end of a multipart boundary, causing the system to continuously process each character and issue warnings. This can render Gradio inaccessible for extended periods, disrupting services and causing significant downtime.

Exploitation Scenario

An adversary targeting an organization's AI evaluation portal identifies a public-facing Gradio instance running a fine-tuned LLM demo. Using a simple curl command or Python script, they craft a multipart form upload where the boundary string is padded with tens of thousands of arbitrary characters. The Gradio server begins processing each character sequentially, emitting warnings and saturating the event loop. Within seconds, the server stops responding to legitimate requests. The adversary repeats this from multiple IPs or via a botnet, maintaining the DoS condition and blocking the security team's access to AI-assisted tooling or disrupting a time-sensitive model evaluation window prior to a product launch.