PyPi: Rasa

CVE-2024-49375

Safety vulnerability ID: 76362

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 14, 2025 Updated at Mar 29, 2025

Scan your Python projects for vulnerabilities →

Advisory

A vulnerability has been identified in Rasa Pro and Rasa Open Source that enables an attacker who can load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: - The HTTP API must be enabled on the Rasa instance eg with --enable-api. This is not the default configuration. - For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. - For authenticated RCE, the attacker must possess a valid authentication token or JWT to interact with the Rasa API.

Affected package

rasa

Latest version: 3.6.21

Open source machine learning framework to automate text- and voice-based conversations: NLU, dialogue management, connect to Slack, Facebook, and more - Create chatbots and voice assistants

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49375

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application