CVE-2025-23042: Gradio ACL bypass — HIGH

Q: Is CVE-2025-23042 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-23042, increasing the risk of exploitation.

Q: How to fix CVE-2025-23042?

1. PATCH: Upgrade Gradio to 5.11.0 immediately—no known workarounds exist per the advisory. 2. DETECT: Audit web server access logs for requests using mixed-case path variants targeting sensitive directories (e.g., /Config/, /Models/, /Secrets/). 3. ISOLATE: Run Gradio under a dedicated low-privilege service account with minimal filesystem scope. 4. CONTAIN: Deploy a reverse proxy (nginx, Caddy) that normalizes path case before forwarding to Gradio. 5. INVENTORY: Enumerate all Gradio deployments organization-wide, including developer machines and CI/CD demo environments hosting AI models.

Q: What systems are affected by CVE-2025-23042?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ui, agent frameworks, training pipelines.

Q: What is the CVSS score for CVE-2025-23042?

CVE-2025-23042 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.84%.

CISO Take

Any Gradio deployment on Windows or macOS where sensitive files exist in the served directory is at risk of unauthorized file access with zero authentication required. Upgrade to Gradio 5.11.0 immediately—this is a network-exploitable, no-auth vulnerability affecting one of the most widely deployed ML UI frameworks. Audit all Gradio instances in your environment, especially internal AI demo servers that may expose API keys, model configs, or training data.

What is the risk?

High risk for organizations running Gradio on Windows or macOS servers. CVSS 7.5 with no privileges or user interaction required makes this trivially exploitable. The low EPSS (0.00099) and absence from CISA KEV suggest limited active exploitation at publication, but Gradio's massive adoption in AI/ML teams—including internal demo servers holding credentials and model artifacts—amplifies the blast radius significantly. Linux deployments are unaffected due to case-sensitive filesystems, but mixed environments and Windows-based AI workstations remain exposed.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gradio	pip	—	No patch
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →
Gradio	pip	< 5.11.0	`5.11.0`
43.0K OpenSSF 5.6 685 dependents Pushed 5d ago 26% patched ~110d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 53% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

PATCH

Upgrade Gradio to 5.11.0 immediately—no known workarounds exist per the advisory.
DETECT

Audit web server access logs for requests using mixed-case path variants targeting sensitive directories (e.g., /Config/, /Models/, /Secrets/).
ISOLATE

Run Gradio under a dedicated low-privilege service account with minimal filesystem scope.
CONTAIN

Deploy a reverse proxy (nginx, Caddy) that normalizes path case before forwarding to Gradio.
INVENTORY

Enumerate all Gradio deployments organization-wide, including developer machines and CI/CD demo environments hosting AI models.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security and access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of AI risks

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-23042?

Any Gradio deployment on Windows or macOS where sensitive files exist in the served directory is at risk of unauthorized file access with zero authentication required. Upgrade to Gradio 5.11.0 immediately—this is a network-exploitable, no-auth vulnerability affecting one of the most widely deployed ML UI frameworks. Audit all Gradio instances in your environment, especially internal AI demo servers that may expose API keys, model configs, or training data.

Is CVE-2025-23042 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-23042, increasing the risk of exploitation.

How to fix CVE-2025-23042?

1. PATCH: Upgrade Gradio to 5.11.0 immediately—no known workarounds exist per the advisory. 2. DETECT: Audit web server access logs for requests using mixed-case path variants targeting sensitive directories (e.g., /Config/, /Models/, /Secrets/). 3. ISOLATE: Run Gradio under a dedicated low-privilege service account with minimal filesystem scope. 4. CONTAIN: Deploy a reverse proxy (nginx, Caddy) that normalizes path case before forwarding to Gradio. 5. INVENTORY: Enumerate all Gradio deployments organization-wide, including developer machines and CI/CD demo environments hosting AI models.

What systems are affected by CVE-2025-23042?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ui, agent frameworks, training pipelines.

What is the CVSS score for CVE-2025-23042?

CVE-2025-23042 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.84%.

What is the AI security impact?

Affected AI Architectures

model servingml_uiagent frameworkstraining pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An adversary identifies a publicly accessible Gradio ML demo running on a Windows server behind a corporate reverse proxy. The application has ACL rules blocking '/config/secrets.env' containing an Anthropic API key used to back the inference endpoint. The attacker sends a GET request to '/Config/Secrets.env'—Gradio's validation logic fails to match the blocked lowercase path due to missing case normalization, while the Windows NTFS filesystem serves the file normally. The attacker extracts the API key in seconds, enabling unauthorized LLM API usage and potential further lateral movement into cloud AI infrastructure.

Weaknesses (CWE)

CWE-178 Improper Handling of Case Sensitivity Primary CWE-285 Improper Authorization Primary CWE-285 Improper Authorization

CWE-178 — Improper Handling of Case Sensitivity: The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

[Architecture and Design] Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.