CVE-2024-47167: Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Requ
Summary
Gradio, an open-source Python package for building AI demos, has a vulnerability called SSRF (server-side request forgery, where an attacker tricks a server into making requests to URLs the attacker chooses) in its `/queue/join` endpoint. Attackers can exploit this to force the Gradio server to request internal or local network addresses, potentially stealing data or uploading malicious files, especially affecting applications using the Video component. Users should upgrade to Gradio version 5 or later to fix this issue.
Solution / Mitigation
Upgrade to `gradio>=5`. As a workaround, disable or heavily restrict URL-based inputs to trusted domains only, implement allowlist-based URL validation (where only pre-approved URLs are accepted), and ensure that local or internal network addresses cannot be requested via the `/queue/join` endpoint.
Vulnerability Details
9.8(critical)
EPSS: 0.2%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-47167
First tracked: February 15, 2026 at 08:47 PM
Classified by LLM (prompt v3) · confidence: 92%