CVE-2024-1728 Overview
CVE-2024-1728 is a local file inclusion (LFI) vulnerability in the gradio-app/gradio Python framework. The flaw exists in the UploadButton component, which fails to properly validate user-supplied file paths. Attackers can manipulate the file path parameter sent to the /queue/join endpoint to read arbitrary files on the host filesystem, including private SSH keys and other sensitive data. The issue is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Successful exploitation could enable further attacks, including potential remote code execution.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from Gradio application hosts, exposing credentials and secrets that may lead to full system compromise.
Affected Products
- gradio-app/gradio (Python package)
- Gradio versions prior to the fix in commit 16fbe9cd0cffa9f2a824a0165beb43446114eec7
- Applications and ML demos built on vulnerable Gradio releases
Discovery Timeline
- 2024-04-10 - CVE-2024-1728 published to NVD
- 2025-07-30 - Last updated in NVD database
- Vendor fix committed to the gradio-app repository in commit 16fbe9cd0cffa9f2a824a0165beb43446114eec7
- Vulnerability reported via the Huntr Bug Bounty Program
Technical Details for CVE-2024-1728
Vulnerability Analysis
Gradio exposes a WebSocket-style queue endpoint at /queue/join that orchestrates component events, including file uploads driven by the UploadButton component. The server accepts metadata describing the location of uploaded files and trusts that path when reading content back from disk. Because the path field is not constrained to the intended upload directory, an attacker can supply an absolute path or traversal sequence and force the server to return the contents of an unrelated file. The exposure scales with the privileges of the Gradio process, which often runs with access to user home directories, model weights, API tokens, and SSH material.
Root Cause
The root cause is insufficient input validation on file path values processed during upload handling. The server does not canonicalize the submitted path or verify that it resides within an allow-listed temporary directory. The patch in commit 16fbe9cd0cffa9f2a824a0165beb43446114eec7 introduces stricter validation so that only files inside Gradio-managed upload locations can be referenced.
Attack Vector
The attack is fully network-based and requires no authentication or user interaction. An attacker sends a crafted request to the /queue/join endpoint of a Gradio instance, substituting the expected upload path with a path such as /root/.ssh/id_rsa or /etc/passwd. The server then returns or processes the targeted file as though it were part of an upload, leaking its contents. See the Huntr report for the disclosure details.
No verified public proof-of-concept code is included here. Refer to the vendor commit for the precise code paths involved in the fix.
Detection Methods for CVE-2024-1728
Indicators of Compromise
- Requests to /queue/join containing absolute paths or traversal sequences such as ../, /etc/, /root/.ssh/, or /home/<user>/.ssh/
- Gradio server logs showing file reads from locations outside the configured temp upload directory
- Outbound responses from Gradio endpoints containing contents of sensitive system files
- Unexpected access to private keys, environment files, or cloud credential files on hosts running Gradio
Detection Strategies
- Inspect HTTP and WebSocket payloads to /queue/join for path fields referencing locations outside Gradio's working upload directory.
- Apply file integrity and access auditing on sensitive paths like ~/.ssh/, /etc/shadow, and cloud credential stores on Gradio hosts.
- Correlate Gradio process file-read telemetry against the in-session upload directory and flag deviations.
Monitoring Recommendations
- Forward Gradio application logs and host process telemetry into a centralized analytics platform for path-traversal pattern matching.
- Alert on the Gradio process reading credential, key, or configuration files that are not part of normal model or asset loading.
- Track external access to Gradio instances exposed to the internet and review for anomalous /queue/join traffic volumes.
How to Mitigate CVE-2024-1728
Immediate Actions Required
- Upgrade Gradio to a release containing commit 16fbe9cd0cffa9f2a824a0165beb43446114eec7 or later.
- Restrict network exposure of Gradio applications by placing them behind authenticated reverse proxies or VPNs.
- Rotate any secrets, SSH keys, and API tokens reachable from the Gradio host if exploitation is suspected.
- Run Gradio as a low-privileged service account with no access to sensitive user or system directories.
Patch Information
The vendor fix is published in the gradio-app/gradio repository. Update the gradio Python package using pip install --upgrade gradio and verify the installed version includes the patched UploadButton handler. Review additional context in the Huntr disclosure.
Workarounds
- Place Gradio behind an authenticating proxy that requires login before any request can reach /queue/join.
- Deploy a web application firewall rule that rejects requests to /queue/join containing absolute filesystem paths or ../ sequences.
- Run Gradio inside a container or chroot with no mounted secrets and a dedicated, isolated upload directory.
- Disable UploadButton-based components in production deployments where file uploads are not strictly required.
# Upgrade Gradio to a patched version
pip install --upgrade gradio
# Verify the installed version
python -c "import gradio; print(gradio.__version__)"
# Example reverse proxy rule (NGINX) to block traversal attempts on /queue/join
# location /queue/join {
# if ($request_body ~* "(\.\./|/etc/|/root/\.ssh|/home/[^/]+/\.ssh)") {
# return 403;
# }
# proxy_pass http://gradio_backend;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
