CVE-2025-23042 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2025-23042 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-23042, increasing the risk of exploitation.

Q: How to fix CVE-2025-23042?

1. PATCH: Upgrade Gradio to 5.11.0 immediately—no known workarounds exist per the advisory. 2. DETECT: Audit web server access logs for requests using mixed-case path variants targeting sensitive directories (e.g., /Config/, /Models/, /Secrets/). 3. ISOLATE: Run Gradio under a dedicated low-privilege service account with minimal filesystem scope. 4. CONTAIN: Deploy a reverse proxy (nginx, Caddy) that normalizes path case before forwarding to Gradio. 5. INVENTORY: Enumerate all Gradio deployments organization-wide, including developer machines and CI/CD demo environments hosting AI models.

Q: What systems are affected by CVE-2025-23042?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ui, agent frameworks, training pipelines.

Q: What is the CVSS score for CVE-2025-23042?

CVE-2025-23042 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.10%.

CISO Take

Any Gradio deployment on Windows or macOS where sensitive files exist in the served directory is at risk of unauthorized file access with zero authentication required. Upgrade to Gradio 5.11.0 immediately—this is a network-exploitable, no-auth vulnerability affecting one of the most widely deployed ML UI frameworks. Audit all Gradio instances in your environment, especially internal AI demo servers that may expose API keys, model configs, or training data.

Risk Assessment

High risk for organizations running Gradio on Windows or macOS servers. CVSS 7.5 with no privileges or user interaction required makes this trivially exploitable. The low EPSS (0.00099) and absence from CISA KEV suggest limited active exploitation at publication, but Gradio's massive adoption in AI/ML teams—including internal demo servers holding credentials and model artifacts—amplifies the blast radius significantly. Linux deployments are unaffected due to case-sensitive filesystems, but mixed environments and Windows-based AI workstations remain exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 5.11.0	`5.11.0`
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade Gradio to 5.11.0 immediately—no known workarounds exist per the advisory.
DETECT

Audit web server access logs for requests using mixed-case path variants targeting sensitive directories (e.g., /Config/, /Models/, /Secrets/).
ISOLATE

Run Gradio under a dedicated low-privilege service account with minimal filesystem scope.
CONTAIN

Deploy a reverse proxy (nginx, Caddy) that normalizes path case before forwarding to Gradio.
INVENTORY

Enumerate all Gradio deployments organization-wide, including developer machines and CI/CD demo environments hosting AI models.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security and access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-23042?

Any Gradio deployment on Windows or macOS where sensitive files exist in the served directory is at risk of unauthorized file access with zero authentication required. Upgrade to Gradio 5.11.0 immediately—this is a network-exploitable, no-auth vulnerability affecting one of the most widely deployed ML UI frameworks. Audit all Gradio instances in your environment, especially internal AI demo servers that may expose API keys, model configs, or training data.

Is CVE-2025-23042 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-23042, increasing the risk of exploitation.

How to fix CVE-2025-23042?

1. PATCH: Upgrade Gradio to 5.11.0 immediately—no known workarounds exist per the advisory. 2. DETECT: Audit web server access logs for requests using mixed-case path variants targeting sensitive directories (e.g., /Config/, /Models/, /Secrets/). 3. ISOLATE: Run Gradio under a dedicated low-privilege service account with minimal filesystem scope. 4. CONTAIN: Deploy a reverse proxy (nginx, Caddy) that normalizes path case before forwarding to Gradio. 5. INVENTORY: Enumerate all Gradio deployments organization-wide, including developer machines and CI/CD demo environments hosting AI models.

What systems are affected by CVE-2025-23042?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ui, agent frameworks, training pipelines.

What is the CVSS score for CVE-2025-23042?

CVE-2025-23042 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An adversary identifies a publicly accessible Gradio ML demo running on a Windows server behind a corporate reverse proxy. The application has ACL rules blocking '/config/secrets.env' containing an Anthropic API key used to back the inference endpoint. The attacker sends a GET request to '/Config/Secrets.env'—Gradio's validation logic fails to match the blocked lowercase path due to missing case normalization, while the Windows NTFS filesystem serves the file normally. The attacker extracts the API key in seconds, enabling unauthorized LLM API usage and potential further lateral movement into cloud AI infrastructure.