CVE-2024-47871 – This vulnerability allows attackers to intercep... (How to Fix)

Q: What is the severity of CVE-2024-47871?

CVE-2024-47871 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to intercept and read files uploaded to Gradio servers when using the share=True option, as HTTPS is not enforced. It affects users who publicly share Gradio demos over the internet without proper encryption, potentially exposing sensitive data. Attackers can also modify responses or data sent between client and server.

📋 TL;DR

This vulnerability allows attackers to intercept and read files uploaded to Gradio servers when using the share=True option, as HTTPS is not enforced. It affects users who publicly share Gradio demos over the internet without proper encryption, potentially exposing sensitive data. Attackers can also modify responses or data sent between client and server.

💻 Affected Systems

Products:

gradio

Versions: All versions before gradio 5

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when share=True option is used to share demos publicly over internet

📦 What is this software?

Gradio by Gradio Project

View all CVEs affecting Gradio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all uploaded sensitive files (documents, images, data) and ability to inject malicious content into communications between users and the Gradio application.

🟠

Likely Case

Interception of uploaded files containing personal or business data, leading to data breaches and privacy violations.

🟢

If Mitigated

No data exposure when proper HTTPS encryption is implemented or when share=True is avoided in production.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires network position to intercept unencrypted traffic between FRP client and server

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: gradio>=5

Vendor Advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh

Restart Required: Yes

Instructions:

1. Check current gradio version with 'pip show gradio'. 2. Upgrade using 'pip install --upgrade gradio>=5'. 3. Restart any running Gradio applications.

🔧 Temporary Workarounds

Disable share=True in production

all

Avoid using share=True option in production environments to prevent insecure public sharing

Modify Gradio application code to remove or set share=False

Host with HTTPS

all

Deploy Gradio applications on servers with proper HTTPS/TLS encryption enabled

Deploy behind reverse proxy (nginx/apache) with SSL certificates
Use cloud platforms with built-in HTTPS

🧯 If You Can't Patch

Disable share=True option immediately in all production deployments
Implement network-level encryption (VPN, TLS termination proxy) for all Gradio traffic

🔍 How to Verify

Check if Vulnerable:

Check if using gradio version <5 AND using share=True option in code

Check Version:

pip show gradio | grep Version

Verify Fix Applied:

Verify gradio version is >=5 with 'pip show gradio' and confirm share=True is not used in production

📡 Detection & Monitoring

Log Indicators:

Unencrypted file uploads to Gradio endpoints
HTTP traffic to Gradio share URLs without HTTPS

Network Indicators:

Unencrypted HTTP traffic to/from *.gradio.live domains
File uploads over plain HTTP

SIEM Query:

source_port:7860 AND protocol:http AND NOT protocol:https

📊 Metadata

CVE ID: CVE-2024-47871

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-311

Published: October 10, 2024

Last Updated: October 17, 2024

🔗 References

https://github.com/gradio-app/gradio/security/advisories/GHSA-279j-x4gx-hfrh Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47871, you might also want to check these: