Login Sign Up

CVE-2024-1540

8.2 HIGH

📋 TL;DR

A command injection vulnerability in the gradio-app/gradio repository's GitHub Actions workflow allows attackers to execute arbitrary commands by manipulating GitHub context variables. This affects organizations using vulnerable versions of the gradio repository with GitHub Actions enabled. Attackers could modify the repository or exfiltrate secrets.

💻 Affected Systems

Products:
  • gradio-app/gradio
Versions: Versions before commit d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using GitHub Actions with the vulnerable workflow file.

📦 What is this software?

Gradio by Gradio Project

View all CVEs affecting Gradio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the repository, exfiltration of all secrets stored in GitHub Actions, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized code modifications, secret exfiltration, and disruption of CI/CD pipelines.

🟢

If Mitigated

Limited impact with proper input validation and environment variable isolation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires write access to the repository or ability to trigger GitHub Actions workflows.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28

Vendor Advisory: https://github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28

Restart Required: No

Instructions:

1. Update to the latest gradio repository version. 2. Ensure the deploy+test-visual.yml workflow file includes the security fix. 3. Review and rotate any exposed secrets.

🔧 Temporary Workarounds

Disable vulnerable workflow

all

Temporarily disable the deploy+test-visual.yml GitHub Actions workflow

Isolate untrusted inputs

all

Manually modify workflow to set GitHub context variables to intermediate environment variables

🧯 If You Can't Patch

  • Disable GitHub Actions for the repository
  • Implement strict access controls and monitor for suspicious workflow executions

🔍 How to Verify

Check if Vulnerable:

Check if deploy+test-visual.yml workflow contains direct use of ${{ github.event.* }} in run commands without intermediate variables

Check Version:

git log --oneline | grep d56bb28

Verify Fix Applied:

Verify the workflow uses environment variables for untrusted inputs (e.g., env: UNTRUSTED_INPUT: ${{ github.event.* }})

📡 Detection & Monitoring

Log Indicators:

  • Unexpected commands in GitHub Actions logs
  • Workflow executions from unauthorized users

Network Indicators:

  • Unusual outbound connections from GitHub Actions runners

SIEM Query:

source="github-actions" AND (command="*injection*" OR command="*malicious*" OR command="*unauthorized*")

📊 Metadata

CVE ID: CVE-2024-1540
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-77
Published: March 27, 2024
Last Updated: July 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1540, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)