CVE-2024-1561: An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of
highvulnerability
security
Summary
Gradio, a popular Python library for building AI interfaces, has a vulnerability in its `/component_server` endpoint that lets attackers call any method on a Component class with their own arguments. By exploiting a specific method called `move_resource_to_block_cache()`, attackers can copy files from the server's filesystem to a temporary folder and download them, potentially exposing sensitive data like API keys, especially when apps are shared online or hosted on platforms like Hugging Face.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 93.6%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
CWE (Weakness Type)
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-1561
First tracked: February 15, 2026 at 08:47 PM
Classified by LLM (prompt v3) · confidence: 95%