A critical-severity vulnerability (CVE-2024-49375) has been identified in the popular open-source Rasa framework. This flaw, which carries a CVSS score of 9.1, allows attackers to achieve Remote Code Execution (RCE) through the remote loading of maliciously crafted models.
With over 25 million downloads, Rasa, widely used for developing text and voice-based conversational AI applications, has become a cornerstone in machine learning deployments.
According to Rasa’s security advisory, the vulnerability impacts both Rasa Pro and Rasa Open Source. The root of the issue lies in the HTTP API when enabled with the –enable-api flag. As the advisory explains, “An attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance can achieve Remote Code Execution.”
The advisory highlights two scenarios under which the vulnerability is exploitable:
- Unauthenticated RCE: This scenario arises when no authentication or security controls are configured for the Rasa HTTP API.
- Authenticated RCE: This requires attackers to possess valid authentication tokens or JSON Web Tokens (JWTs) to interact with the Rasa API.
Rasa has released patches to address this critical issue. Users are strongly encouraged to upgrade to the following versions:
- Rasa Pro: 3.8.18, 3.9.16, and 3.10.12
- Rasa Open Source: 3.6.21
To fully mitigate the CVE-2024-49375 vulnerability, users must also retrain their models using the patched version. Rasa advises developers to review their custom components, particularly those inheriting from affected components like CountVectorFeaturizer, DIETClassifier, and TEDPolicy, to ensure compatibility with the updated software.
For users unable to immediately apply updates, the advisory provides mitigation strategies:
- Enable API Authentication: Configure authentication for the Rasa HTTP API as described in the Rasa documentation.
- Source Models Securely: Load models only from trusted sources and verify file hashes to prevent tampering.
- Restrict API Access: Apply access controls using the principle of least privilege to limit interactions with the Rasa API.
Rasa plans to enhance security in future releases by requiring authentication for API access. As the advisory notes, “A future release of Rasa Pro will remove the ability to enable the API without any authentication method enabled.”
