Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-49375
CVE-2024-49375:
Python vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2024-49375) has been identified in the Rasa framework, a popular open-source machine learning platform with over 25 million downloads. The vulnerability enables attackers to achieve Remote Code Execution (RCE) through the remote loading of maliciously crafted models into a Rasa instance. This security flaw affects both Rasa Pro and Rasa Open Source versions prior to their respective security updates, and carries a CVSS score of 9.0 (Critical) (GitHub Advisory, Security Online).
Technical details
The vulnerability is exploitable when the HTTP API is enabled using the --enable-api flag, which is not the default configuration. The flaw involves two potential attack scenarios: unauthenticated RCE when no authentication or security controls are configured, and authenticated RCE requiring valid authentication tokens or JWTs to interact with the Rasa API. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-502 (Deserialization of Untrusted Data) (GitHub Advisory).
Impact
If successfully exploited, the vulnerability allows attackers to execute arbitrary code on affected Rasa instances. This could potentially lead to complete system compromise, affecting the confidentiality, integrity, and availability of the system. The high CVSS score of 9.0 reflects the critical nature of this vulnerability, particularly in scenarios where authentication is not properly configured (GitHub Advisory).
Mitigation and workarounds
Rasa has released security patches to address this vulnerability. Users should upgrade to Rasa Pro versions 3.8.18, 3.9.16, or 3.10.12, or Rasa Open Source version 3.6.21. After upgrading, models must be retrained using the patched version. For users unable to upgrade immediately, recommended mitigations include enabling API authentication, loading models only from trusted sources, verifying file hashes, and implementing strict access controls based on the principle of least privilege (ASEC, GitHub Advisory).
Community reactions
The vulnerability was responsibly disclosed by Julian Scheid from Deutsche Telekom Security GmbH. In response to this security concern, Rasa has announced plans to enhance security in future releases by removing the ability to enable the API without authentication (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management