CVE-2024-4254: The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable
highvulnerability
security
Summary
A workflow file (a set of automated tasks) in the Gradio project has a security flaw where it runs code from external copies of the repository without proper safety checks, allowing attackers to steal sensitive secrets (like API keys and authentication tokens). This happens because the workflow trusts and executes code from forks (unauthorized copies of the project) in an environment that has access to the main repository's secrets.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.6%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
CWE (Weakness Type)
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-4254
First tracked: February 15, 2026 at 08:47 PM
Classified by LLM (prompt v3) · confidence: 85%