Rasa (un)authenticated Remote Code Execution via remote model loading (CVE-2024-49375)

During an internal penetration test a product was checked which uses Rasa to build a conversational AI. A mixture of penetration testing and source code analysis led to the discovery of an (un)authenticated Remote Code Execution.

TL;DR

Which versions are affected?

  • rasa (pip) <3.6.21
  • rasa-pro (pip) <3.10.12, <3.9.16, <3.8.18

Are fixed versions available?
Yes, namely:

  • rasa (pip) 3.6.21
  • rasa-pro (pip) 3.10.12, 3.9.16, 3.8.18

Does Rasa need to be patched?
Yes and as fast as possible due to its severity (critical, 9.1/10, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Additional information on the fix and the mitigation advice can be found at GitHub.

The RCE vulnerability affects systems running Rasa as follows:

  • Default configuration: not affected by RCE
  • HTTP API enabled (--enable-api): affected
    • No authentication method in use: unauthenticated RCE
    • Token Based Auth: authenticated RCE
    • JWT Based Auth: authenticated RCE

Is an exploit available?
Yes, the exploit can be found at the end of the full advisory and here.

Links:
https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-cpv4-ggrr-7j9v
https://nvd.nist.gov/vuln/detail/cve-2024-49375

Credits
Julian Scheid (julian.scheid@telekom.de)

Technical deep dive

For those interested in taking a technical deep dive in how the vulnerability was discovered and how the exploit has been developed, reading the full advisory is highly recommended.

View the full advisory