Cyber Resilience

CVE-2024-1561

HighPublic PoC

Published: 16 April 2024

Published
16 April 2024
Modified
30 July 2025
KEV Added
Patch
CVSS Score v3 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9343 99.8th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1561 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Gradio Project Gradio. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Adversarial AI Attack Implementations (AML.T0016.000), Invert AI Model (AML.T0024.001).

Deeper analysis

CVE-2024-1561 affects the Gradio web framework (gradio-app/gradio). The root cause is insufficient access control on the /component_server endpoint, which permits unauthenticated callers to invoke arbitrary methods on Component and Block classes using attacker-supplied arguments. In particular, the move_resource_to_block_cache method can be abused to copy any readable file on the host into a temporary cache directory that is subsequently served back to the caller.

An unauthenticated remote attacker can therefore read arbitrary files, including environment variables that commonly contain API keys and credentials. The issue is exploitable whenever a Gradio application is reachable over the network, with elevated impact for instances launched via launch(share=True) or hosted on huggingface.co spaces. No authentication or user interaction is required, consistent with the CVSS 7.5 rating (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Public references point to a fix merged in commit 24a583688046867ca8b8b02959c441818bdb34a2 and released in Gradio 4.13.0; the changelog and associated huntr report confirm that the endpoint no longer permits unrestricted method invocation on component classes. The EPSS score remains high (current 0.9343, peak 0.9366), indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file…

more

on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Gradio is a Python library and platform for building web-based user interfaces for machine learning models, commonly used in AI/ML demos and deployments, fitting under 'Other Platforms' as it enables sharing and interaction with AI models via web apps.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-1561 enables exploitation of a public-facing Gradio web application (T1190) to perform arbitrary local file reads (T1005), including files containing credentials (T1081).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0016.000: Adversarial AI Attack ImplementationsAML.T0024.001: Invert AI Model

Affected Assets

gradio project
gradio
4.12.0 — 4.13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References