CVE-2024-1561
Published: 16 April 2024
Summary
CVE-2024-1561 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Gradio Project Gradio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Adversarial AI Attack Implementations (AML.T0016.000), Invert AI Model (AML.T0024.001).
Deeper analysis
CVE-2024-1561 affects the Gradio web framework (gradio-app/gradio). The root cause is insufficient access control on the /component_server endpoint, which permits unauthenticated callers to invoke arbitrary methods on Component and Block classes using attacker-supplied arguments. In particular, the move_resource_to_block_cache method can be abused to copy any readable file on the host into a temporary cache directory that is subsequently served back to the caller.
An unauthenticated remote attacker can therefore read arbitrary files, including environment variables that commonly contain API keys and credentials. The issue is exploitable whenever a Gradio application is reachable over the network, with elevated impact for instances launched via launch(share=True) or hosted on huggingface.co spaces. No authentication or user interaction is required, consistent with the CVSS 7.5 rating (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Public references point to a fix merged in commit 24a583688046867ca8b8b02959c441818bdb34a2 and released in Gradio 4.13.0; the changelog and associated huntr report confirm that the endpoint no longer permits unrestricted method invocation on component classes. The EPSS score remains high (current 0.9343, peak 0.9366), indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1205
Vulnerability details
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file…
more
on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Gradio is a Python library and platform for building web-based user interfaces for machine learning models, commonly used in AI/ML demos and deployments, fitting under 'Other Platforms' as it enables sharing and interaction with AI models via web apps.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-1561 enables exploitation of a public-facing Gradio web application (T1190) to perform arbitrary local file reads (T1005), including files containing credentials (T1081).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.