CVE-2025-5320 — LOW (CVSS 3.7) AI Security Vulnerability

Q: Is CVE-2025-5320 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5320, increasing the risk of exploitation.

Q: How to fix CVE-2025-5320?

1. No patch available yet — monitor gradio-app/gradio releases for a fix targeting >= 5.29.2. 2. Immediately restrict Gradio interfaces to internal networks or VPN — do not expose publicly without auth. 3. Place Gradio behind an authentication proxy (Clerk, OAuth2 proxy, nginx auth_request). 4. Add explicit CORS allowlist via server configuration overriding default behavior. 5. Monitor web access logs for anomalous Origin headers, especially requests with localhost or 127.x origins from non-local IPs. 6. For critical deployments, consider downgrading to a pre-5.x version as a temporary measure if auth overlay is not feasible.

CISO Take

Low-severity CORS origin validation flaw in Gradio <= 5.29.1 that could allow cross-origin requests to bypass CORS restrictions on exposed ML interfaces. High attack complexity (AC:H) and no confidentiality impact make this low priority, but teams with publicly-exposed Gradio demos should restrict access behind authentication or VPN until a patch is released. No patch is currently available; vendor did not respond to disclosure.

Risk Assessment

Low risk. CVSS 3.7 with high attack complexity limits practical exploitability — EPSS of 0.00036 confirms negligible exploitation probability in the wild. Impact is bounded to limited integrity violation (I:L); no data exfiltration or availability impact per CVSS vector. Primary concern is for organizations exposing Gradio instances on public networks without an authentication layer, which is common in ML demo and prototype environments. Not in CISA KEV.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gradio	pip	>= 5.0.0, <= 5.29.1	No patch
42.5K OpenSSF 5.5 679 dependents Pushed 2d ago 27% patched ~110d to patch Full package profile →

Do you use gradio? You're affected.

Severity & Risk

CVSS 3.1

3.7 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 29% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C None

I Low

A None

Recommended Action

6 steps

No patch available yet — monitor gradio-app/gradio releases for a fix targeting >= 5.29.2.
Immediately restrict Gradio interfaces to internal networks or VPN — do not expose publicly without auth.
Place Gradio behind an authentication proxy (Clerk, OAuth2 proxy, nginx auth_request).
Add explicit CORS allowlist via server configuration overriding default behavior.
Monitor web access logs for anomalous Origin headers, especially requests with localhost or 127.x origins from non-local IPs.
For critical deployments, consider downgrading to a pre-5.x version as a temporary measure if auth overlay is not feasible.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Framework Inference AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Risks and benefits of AI systems are regularly monitored

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-5320?

Low-severity CORS origin validation flaw in Gradio <= 5.29.1 that could allow cross-origin requests to bypass CORS restrictions on exposed ML interfaces. High attack complexity (AC:H) and no confidentiality impact make this low priority, but teams with publicly-exposed Gradio demos should restrict access behind authentication or VPN until a patch is released. No patch is currently available; vendor did not respond to disclosure.

Is CVE-2025-5320 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-5320, increasing the risk of exploitation.

How to fix CVE-2025-5320?

1. No patch available yet — monitor gradio-app/gradio releases for a fix targeting >= 5.29.2. 2. Immediately restrict Gradio interfaces to internal networks or VPN — do not expose publicly without auth. 3. Place Gradio behind an authentication proxy (Clerk, OAuth2 proxy, nginx auth_request). 4. Add explicit CORS allowlist via server configuration overriding default behavior. 5. Monitor web access logs for anomalous Origin headers, especially requests with localhost or 127.x origins from non-local IPs. 6. For critical deployments, consider downgrading to a pre-5.x version as a temporary measure if auth overlay is not feasible.

What systems are affected by CVE-2025-5320?

This vulnerability affects the following AI/ML architecture patterns: ML demo interfaces, model serving, inference endpoints.

What is the CVSS score for CVE-2025-5320?

CVE-2025-5320 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.11%.

Technical Details

NVD Description

A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the component CORS Handler. The manipulation of the argument localhost_aliases leads to erweiterte Rechte. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary identifies a public-facing Gradio ML demo (e.g., a LLM chatbot, image classifier, or data processing tool). They craft a malicious HTML page that uses JavaScript to make cross-origin fetch requests to the Gradio API, manipulating the `localhost_aliases` parameter to pass the `is_valid_origin` check. A victim with active session access to the Gradio instance (e.g., a data scientist or internal user) visits the attacker's page. The browser, deceived by the bypassed CORS policy, sends the request with session credentials, allowing the attacker to invoke model inference, exfiltrate model outputs, or interact with the Gradio interface on behalf of the authenticated user.