CVE-2023-34239 Overview
CVE-2023-34239 affects Gradio, an open-source Python library used to build machine learning and data science web interfaces. The vulnerability stems from two distinct issues: insufficient path filtering that fails to restrict file access for users, and inadequate validation of URLs that the application proxies. Remote attackers can exploit these flaws over the network without authentication or user interaction. The Gradio maintainers addressed both issues in version 3.34.0. No workarounds exist, so upgrading is the only remediation path.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from Gradio servers and abuse the proxy functionality to reach internal resources.
Affected Products
- Gradio (Python library) versions prior to 3.34.0
- Machine learning applications and demos built on vulnerable Gradio releases
- Hosted ML interfaces that expose Gradio endpoints to the network
Discovery Timeline
- 2023-06-08 - CVE-2023-34239 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34239
Vulnerability Analysis
CVE-2023-34239 combines a path traversal weakness with a server-side request forgery (SSRF) condition. Gradio exposes endpoints that serve files and proxy URLs to support interactive ML demos. The library failed to validate user-supplied file paths against an allowlist, letting attackers reach files outside intended directories. The proxy endpoint similarly accepted arbitrary destination URLs without enforcing host restrictions. Combined, these flaws allow attackers to read sensitive files such as configuration data, credentials, or model artifacts, and to pivot requests through the Gradio server to internal services. The issue is tracked under [CWE-20] (Improper Input Validation).
Root Cause
The root cause is missing input validation in two request handlers. The file-serving handler did not canonicalize and constrain requested paths within an approved directory, enabling directory traversal sequences to escape the intended root. The proxy handler did not enforce an allowlist of permitted destinations, so any URL submitted by a client was fetched server-side. Both code paths trusted client-controlled input without sanitization.
Attack Vector
An attacker sends crafted HTTP requests to a network-reachable Gradio instance. For file disclosure, the attacker supplies a relative path designed to traverse outside the application directory. For SSRF, the attacker submits a target URL to the proxy endpoint and receives the proxied response. Neither vector requires authentication, credentials, or any user interaction at the target. See the GitHub Security Advisory GHSA-3qqg-pgqq-3695 and pull requests #4370 and #4406 for the upstream fix details.
Detection Methods for CVE-2023-34239
Indicators of Compromise
- HTTP requests to Gradio file-serving endpoints containing ../ traversal sequences or absolute paths to sensitive files such as /etc/passwd or application configuration
- Outbound HTTP requests originating from the Gradio process to internal IP ranges (RFC1918) or cloud metadata services like 169.254.169.254
- Anomalous access to Gradio proxy endpoints with externally controlled url parameters
Detection Strategies
- Inspect web access logs for requests to Gradio routes containing encoded or raw path traversal patterns
- Alert on Gradio server processes initiating connections to internal networks or unexpected external destinations
- Inventory deployed Gradio versions and flag any instance running a release earlier than 3.34.0
Monitoring Recommendations
- Forward Gradio application and reverse-proxy logs to a centralized logging platform for retention and correlation
- Baseline normal egress destinations from ML hosting infrastructure and alert on deviations
- Track Python package inventories on ML workloads to identify outdated gradio installations
How to Mitigate CVE-2023-34239
Immediate Actions Required
- Upgrade gradio to version 3.34.0 or later on all hosts running the library
- Audit network exposure of Gradio instances and restrict access to trusted users where feasible
- Review server logs for prior path traversal or proxy abuse attempts against vulnerable instances
Patch Information
The vulnerability is fixed in Gradio 3.34.0. The upstream commits in pull request #4370 and pull request #4406 introduce path filtering and URL validation for the proxy handler. The maintainers state there are no supported workarounds, so upgrading is required.
Workarounds
- No vendor-supported workarounds exist; the GitHub Security Advisory GHSA-3qqg-pgqq-3695 confirms upgrading is the only remediation
- As a compensating control until upgrade, place Gradio behind an authenticating reverse proxy and restrict outbound network access from the Gradio host to required destinations only
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
