A Security Review of Gradio 5

Source: HuggingFace Date: 2024-10-10 URL: https://huggingface.co/blog/gradio-5-security

Summary

Security audit report: HuggingFace commissioned Trail of Bits to audit Gradio 5 before release. 10+ vulnerabilities found and fixed, including CORS misconfigurations enabling token theft, SSRF for arbitrary server requests, arbitrary file uploads enabling XSS, remote code execution via nginx misconfiguration, and GitHub Actions security gaps. All fixed in Gradio 5.0 (October 10, 2024). Context: 6M+ monthly PyPI installs, 470k+ Gradio apps on HF Spaces.

Implications

HF as open-source ML hub. At 6M+ monthly installs and 470k+ Spaces apps, Gradio is production infrastructure for a significant fraction of the open-weights ecosystem. Proactive Trail of Bits auditing before a major release (rather than reactive CVE patching) is the kind of security maturation expected of platforms at this scale. CORS and SSRF vulnerabilities in particular are high-value attack vectors for any service handling AI model API keys.

Open-weights ecosystem health. Gradio 5 security audit results being published openly is a transparency practice that builds trust with enterprise evaluators. The specific vulnerability classes found (CORS, SSRF, arbitrary file upload) are standard web security issues — their presence before the audit reinforces that ML teams should not assume their demo infrastructure is production-hardened without a dedicated security review.