CVE-2024-49375

CVE-2024-49375 is a critical remote code execution (RCE) vulnerability (CVSS 3.1 score of 9.0; AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting Rasa, an open-source machine learning framework for building conversational AI assistants. The flaw, linked to CWE-94 (code injection) and CWE-502 (deserialization of untrusted data), arises when a maliciously crafted model is loaded remotely into a Rasa instance via its HTTP API. This API must be explicitly enabled (e.g., via the `--enable-api` flag), which is not the default configuration.

Exploitation requires an attacker to upload or load a specially crafted model through the Rasa HTTP API. For unauthenticated RCE, the instance must lack any authentication or recommended security controls. Authenticated exploitation demands a valid authentication token or JWT, allowing the attacker to interact with the API. Successful exploitation grants full RCE on the host, potentially leading to complete compromise including high confidentiality, integrity, and availability impacts in a networked scope.

The Rasa security advisory (GHSA-cpv4-ggrr-7j9v) confirms the issue is patched in version 3.6.21, urging all users to upgrade immediately. For those unable to update, mitigations include mandating authentication on the API and restricting access to trusted users only, preventing unauthorized model loading.

This vulnerability is particularly relevant to AI/ML deployments, as Rasa powers automated conversational systems often exposed in production environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-01-14.