CVE-2025-48889 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2025-48889 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-48889, increasing the risk of exploitation.

Q: How to fix CVE-2025-48889?

1. PATCH: Upgrade Gradio to 5.31.0 or later — only complete remediation. 2. WORKAROUND: If immediate patching is blocked, disable flagging via flagging='never' in the Gradio Interface constructor. 3. NETWORK CONTROLS: Never expose unauthenticated Gradio instances to the internet; front with an authenticated reverse proxy (nginx + basic auth minimum). 4. DETECTION: Alert on anomalous disk growth rates on Gradio hosts; monitor for high-frequency POST requests to /flag or equivalent flagging endpoints. 5. INVENTORY: Audit all Gradio deployments across dev/staging/prod — data science teams routinely spin up unregistered instances outside standard SDLC and patch cycles.

Q: What systems are affected by CVE-2025-48889?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo interfaces, inference endpoints, training pipelines.

Q: What is the CVSS score for CVE-2025-48889?

CVE-2025-48889 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.47%.

CISO Take

Any publicly exposed Gradio instance below 5.31.0 is vulnerable to unauthenticated disk exhaustion — no credentials or ML knowledge required. Update to Gradio 5.31.0 immediately; if patching is delayed, set flagging='never' in the Interface constructor or restrict network access to the endpoint. ML demo environments are chronically under-patched — audit all internal and external Gradio deployments now, including shadow instances spun up by data science teams.

Risk Assessment

CVSS 7.5 High with no authentication, no user interaction, and low attack complexity makes this trivially reachable by any network adversary. EPSS of 0.94% and absence from CISA KEV suggest limited current exploitation, but the attack surface is broad: Gradio is ubiquitous in ML prototyping. Impact is availability-only — copied files cannot be read by the attacker, so there is no confidentiality risk. Highest risk for publicly exposed demo environments and internal tooling lacking network segmentation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	—	No patch
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →
gradio	pip	< 5.31.0	`5.31.0`
42.5K OpenSSF 5.6 674 dependents Pushed 8d ago 27% patched ~110d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

1.5%

chance of exploitation in 30 days

Higher than 81% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade Gradio to 5.31.0 or later — only complete remediation.
WORKAROUND

If immediate patching is blocked, disable flagging via flagging='never' in the Gradio Interface constructor.
NETWORK CONTROLS

Never expose unauthenticated Gradio instances to the internet; front with an authenticated reverse proxy (nginx + basic auth minimum).
DETECTION

Alert on anomalous disk growth rates on Gradio hosts; monitor for high-frequency POST requests to /flag or equivalent flagging endpoints.
INVENTORY

Audit all Gradio deployments across dev/staging/prod — data science teams routinely spin up unregistered instances outside standard SDLC and patch cycles.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-1.3 - Responses to the AI risks deemed high priority

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-48889?

Any publicly exposed Gradio instance below 5.31.0 is vulnerable to unauthenticated disk exhaustion — no credentials or ML knowledge required. Update to Gradio 5.31.0 immediately; if patching is delayed, set flagging='never' in the Interface constructor or restrict network access to the endpoint. ML demo environments are chronically under-patched — audit all internal and external Gradio deployments now, including shadow instances spun up by data science teams.

Is CVE-2025-48889 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-48889, increasing the risk of exploitation.

How to fix CVE-2025-48889?

1. PATCH: Upgrade Gradio to 5.31.0 or later — only complete remediation. 2. WORKAROUND: If immediate patching is blocked, disable flagging via flagging='never' in the Gradio Interface constructor. 3. NETWORK CONTROLS: Never expose unauthenticated Gradio instances to the internet; front with an authenticated reverse proxy (nginx + basic auth minimum). 4. DETECTION: Alert on anomalous disk growth rates on Gradio hosts; monitor for high-frequency POST requests to /flag or equivalent flagging endpoints. 5. INVENTORY: Audit all Gradio deployments across dev/staging/prod — data science teams routinely spin up unregistered instances outside standard SDLC and patch cycles.

What systems are affected by CVE-2025-48889?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML demo interfaces, inference endpoints, training pipelines.

What is the CVSS score for CVE-2025-48889?

CVE-2025-48889 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.47%.

Technical Details

NVD Description

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.

Exploitation Scenario

An adversary scans for publicly accessible Gradio interfaces (common in ML teams sharing model demos via direct IP or cloud VMs). Without any credentials, they send crafted POST requests to Gradio's flagging endpoint specifying /dev/urandom as the input to be flagged. The server copies the stream into its flagging directory, consuming disk at memory bus speeds. Within minutes, the host disk saturates, crashing Gradio, any co-located database, and potentially the OS — taking down ML serving infrastructure, active training jobs, and experiment tracking systems. No exploit code or AI knowledge is required; a basic curl loop suffices.