CVE-2024-10624 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in the gradio-app/gradio repository, specifically within the gr.Datetime component. The root cause is an inefficient regular expression: `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$`, which is used to parse user input representing relative datetime expressions. Python's default regex engine can exhibit polynomial time complexity when processing certain crafted inputs against this pattern, leading to excessive CPU consumption. An attacker can exploit this by sending specially crafted HTTP requests containing malicious input strings that trigger worst-case regex evaluation. This results in the gradio process consuming 100% CPU, causing a denial of service (DoS) condition by making the service unresponsive or severely degraded. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. Although no public exploits are currently known, the high CVSS score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a high impact on availability with low attack complexity. The vulnerability affects unspecified versions of gradio prior to a fix, and no official patch links are provided yet. This vulnerability is categorized under CWE-1333 (Inefficient Regular Expression Complexity), highlighting the importance of efficient regex design in input validation components.

For European organizations, especially those leveraging gradio for interactive machine learning, data visualization, or AI model deployment, this vulnerability poses a significant risk of service disruption. An attacker exploiting this flaw can cause denial of service by exhausting CPU resources on servers hosting gradio applications, potentially leading to downtime and degraded user experience. This can impact critical business operations, customer-facing services, or internal data science workflows. Since gradio is often used in research institutions, startups, and enterprises adopting AI, the availability impact can affect innovation and productivity. The lack of confidentiality or integrity impact means data breaches or tampering are unlikely, but service outages can still cause reputational damage and financial loss. Additionally, automated attack tools could leverage this vulnerability for large-scale DoS campaigns against exposed gradio endpoints. Organizations with public-facing gradio services are at higher risk, while internal deployments may be less exposed but still vulnerable to insider threats or lateral movement attacks.

To mitigate CVE-2024-10624, organizations should first identify and inventory all gradio deployments, focusing on versions prior to the fix. Since no official patch is currently linked, developers should consider modifying the vulnerable regex pattern to a more efficient alternative that avoids catastrophic backtracking. Input validation should be enhanced to reject suspicious or overly complex datetime strings before regex processing. Implementing rate limiting and request throttling on gradio endpoints can reduce the risk of DoS attacks by limiting the number of malicious requests an attacker can send. Deploying web application firewalls (WAFs) with custom rules to detect and block malicious input patterns can provide additional protection. Monitoring CPU usage and application logs for anomalies can help detect exploitation attempts early. Organizations should stay alert for official patches or updates from the gradio project and apply them promptly once available. Finally, isolating gradio services in containerized or sandboxed environments can limit the impact of potential DoS conditions on broader infrastructure.