AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-47868: Gradio is an open-source Python package designed for quick prototyping. This is a data validation vulnerability affe

highvulnerability

security

Source: NVD/CVE DatabaseOctober 10, 2024CVE-2024-47868

Summary

CVE-2024-47868 is a data validation vulnerability (a flaw in how input data is checked) in Gradio, an open-source Python package for building AI demos. Attackers can exploit certain Gradio components by sending specially crafted requests that bypass input checks, allowing them to read and download sensitive files from a server that shouldn't be accessible. This risk is especially high for components that handle file data, like DownloadButton, Audio, ImageEditor, Chatbot, and others.

Solution / Mitigation

This issue has been resolved in gradio>5.0. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack Type

Data Extraction

Attack SophisticationModerate

Impact (CIA+S)

confidentiality

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-200 CWE-22

CAPEC (Attack Pattern)

CAPEC-116 CAPEC-126

Affected Vendors

HuggingFace

Related Issues

high

CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling

Same vendorNVD/CVE Database

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

First tracked: February 15, 2026 at 08:47 PM

Classified by LLM (prompt v3) · confidence: 92%

CVE-2024-47868: Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affe