Cleartext transmission of sensitive information in Gradio - CVE-2024-47871

 

Cleartext transmission of sensitive information in Gradio - CVE-2024-47871

Published: October 10, 2024 / Updated: April 28, 2026


Vulnerability identifier: #VU128285
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-47871
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Gradio
Affected software:
Gradio

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.

The vulnerability exists due to missing encryption in FRP client-server communication when using the share=True option. A remote attacker can intercept network traffic between the FRP client and server to disclose sensitive information and modify transmitted data.

This issue affects publicly shared Gradio demos exposed over the internet through the share=True feature.


How to mitigate CVE-2024-47871

Install security update from vendor's website.

Sources