AI Threat Alert
GHSA-26jh-r8g2-6fpr: Gradio: Dropdown validation bypass enables arbitrary input
GHSA-26jh-r8g2-6fpr MEDIUMGradio's Dropdown `allow_custom_value=False` can be bypassed via crafted HTTP requests, letting attackers inject arbitrary values directly into your ML inference pipeline. While medium severity standalone, risk escalates sharply if prediction functions treat Dropdown values as trusted inputs for file paths, database queries, or shell arguments — a common pattern in Gradio-based tooling. Upgrade to gradio>=5.0.0 immediately and enforce server-side allowlist validation regardless of UI constraints.
Risk Assessment
Medium standalone (CVSS 5.3, AV:N/AC:L/PR:N/UI:N), but contextually higher in AI/ML deployments. Zero authentication required, low attack complexity, fully remote. The real risk is developer trust assumption: Gradio devs routinely treat UI-enforced constraints as a security boundary, making this a silent false boundary that attackers trivially shatter. Gradio deployments span internal ML tools, Hugging Face Spaces, and production inference endpoints — all exposed surfaces.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | < 5.0.0 | 5.0.0 |
Do you use gradio? You're affected.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Patch: Upgrade to gradio>=5.0.0 immediately — this is the definitive fix.
-
Workaround (if upgrade blocked): Add explicit allowlist validation at the top of every prediction function; reject values not in the approved set before any processing.
-
Audit: Enumerate all production Gradio Dropdown components; trace data flow from Dropdown values into downstream calls (file ops, subprocesses, DB queries).
-
Detection: Log all values received at Gradio inference endpoints; alert on values outside expected enum sets.
-
Architecture: Never rely on client-side or UI-layer constraints as a security boundary for server-side logic.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-26jh-r8g2-6fpr?
Gradio's Dropdown `allow_custom_value=False` can be bypassed via crafted HTTP requests, letting attackers inject arbitrary values directly into your ML inference pipeline. While medium severity standalone, risk escalates sharply if prediction functions treat Dropdown values as trusted inputs for file paths, database queries, or shell arguments — a common pattern in Gradio-based tooling. Upgrade to gradio>=5.0.0 immediately and enforce server-side allowlist validation regardless of UI constraints.
Is GHSA-26jh-r8g2-6fpr actively exploited?
No confirmed active exploitation of GHSA-26jh-r8g2-6fpr has been reported, but organizations should still patch proactively.
How to fix GHSA-26jh-r8g2-6fpr?
1. Patch: Upgrade to gradio>=5.0.0 immediately — this is the definitive fix. 2. Workaround (if upgrade blocked): Add explicit allowlist validation at the top of every prediction function; reject values not in the approved set before any processing. 3. Audit: Enumerate all production Gradio Dropdown components; trace data flow from Dropdown values into downstream calls (file ops, subprocesses, DB queries). 4. Detection: Log all values received at Gradio inference endpoints; alert on values outside expected enum sets. 5. Architecture: Never rely on client-side or UI-layer constraints as a security boundary for server-side logic.
What systems are affected by GHSA-26jh-r8g2-6fpr?
This vulnerability affects the following AI/ML architecture patterns: ML demo platforms, model serving, inference endpoints, internal AI tooling.
What is the CVSS score for GHSA-26jh-r8g2-6fpr?
GHSA-26jh-r8g2-6fpr has a CVSS v3.1 base score of 5.3 (MEDIUM).
Technical Details
NVD Description
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability is a **data validation issue** in the Gradio `Dropdown` component's pre-processing step. Even if the `allow_custom_value` parameter is set to `False`, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user's machine. ### Patches Yes, this issue is addressed in `gradio>=5.0`. Please upgrade to the latest version to resolve the problem. ### Workarounds **Is there a way for users to fix or remediate the vulnerability without upgrading?** To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.
Exploitation Scenario
An adversary discovers an internal ML tool or Hugging Face Space running Gradio <5.0.0 with a Dropdown for model variant selection (e.g., 'base', 'large', 'instruct'). They intercept a legitimate POST request via browser devtools, then replay it substituting an arbitrary string for the valid option — such as a relative file path ('../../etc/passwd') or a model name pointing to an attacker-controlled artifact. The prediction function, trusting Gradio's now-bypassed constraint, passes the value directly to a file loader or model registry call, achieving unauthorized file read or loading of a malicious model artifact.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2024-47167 9.8 Gradio: unauthenticated SSRF in /queue/join, internal pivot
Same package: gradio CVE-2024-39236 9.8 Gradio: code injection via component metadata (CVSS 9.8)
Same package: gradio CVE-2023-25823 9.8 Gradio: hardcoded SSH key leaks via share=True demos
Same package: gradio CVE-2024-0964 9.4 Gradio: unauthenticated LFI exposes full server filesystem
Same package: gradio CVE-2023-34239 9.1 Gradio: path traversal + SSRF exposes model files & infra
Same package: gradio