CVE-2024-49375 Overview
CVE-2024-49375 is a critical Remote Code Execution (RCE) vulnerability affecting Rasa, an open source machine learning framework used for building conversational AI applications. The vulnerability allows an attacker who can load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution on the target system.
Critical Impact
Successful exploitation enables complete system compromise through Remote Code Execution, potentially allowing attackers to execute arbitrary commands, exfiltrate sensitive training data, and pivot to connected systems.
Affected Products
- Rasa versions prior to 3.6.21
- Rasa instances with HTTP API enabled (--enable-api flag)
- Rasa deployments without authentication configured
Discovery Timeline
- 2025-01-14 - CVE-2024-49375 published to NVD
- 2025-01-14 - Last updated in NVD database
Technical Details for CVE-2024-49375
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw exists in how Rasa processes and loads machine learning models from remote sources. When the HTTP API is enabled on a Rasa instance, the application exposes endpoints that allow model loading operations. An attacker can craft a malicious model file that, when loaded by the Rasa instance, executes arbitrary code within the context of the running application.
The exploitation scenario requires the HTTP API to be enabled via the --enable-api flag, which is not the default configuration. However, many production deployments enable this feature for integration purposes. The vulnerability can be exploited either unauthenticated (if no authentication is configured) or authenticated (if the attacker possesses valid credentials or JWT tokens).
Root Cause
The root cause lies in insufficient validation and sanitization of model files during the remote model loading process. Rasa's model loading functionality does not adequately verify the integrity and safety of model components before deserializing and executing them. This allows maliciously crafted model payloads to include executable code that runs when the model is loaded into memory.
Attack Vector
The attack is network-based and targets Rasa instances with the HTTP API enabled. The attacker must be able to reach the Rasa API endpoint and either:
- Unauthenticated scenario: The target instance has no authentication configured, allowing any network-reachable attacker to interact with the model loading API
- Authenticated scenario: The attacker has obtained valid authentication tokens or JWT credentials through other means (credential theft, insider access, etc.)
Once access to the API is established, the attacker submits a request to load their malicious model. The Rasa instance processes the model, triggering code execution during the deserialization or model initialization phase. This grants the attacker code execution with the privileges of the Rasa process.
The vulnerability mechanism involves exploiting the model loading pipeline where untrusted model artifacts are processed without adequate security controls. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2024-49375
Indicators of Compromise
- Unexpected model loading API requests from unauthorized IP addresses or users
- Anomalous process spawning or network connections originating from Rasa processes
- Unusual file system activity in Rasa model directories or temporary folders
- Authentication failures followed by successful model loading operations
- Presence of unexpected model files or modifications to existing models
Detection Strategies
- Monitor Rasa API access logs for model loading endpoint activity (/model endpoints)
- Implement network traffic analysis to detect unusual outbound connections from Rasa instances
- Deploy file integrity monitoring on model storage directories to detect unauthorized modifications
- Configure SIEM rules to correlate API authentication events with subsequent model operations
Monitoring Recommendations
- Enable comprehensive logging for all Rasa HTTP API requests, particularly model management operations
- Implement real-time alerting for model loading operations from unexpected sources
- Monitor process execution patterns from Rasa containers or services for anomalous child processes
- Track network connections initiated by Rasa processes to identify potential command-and-control communication
How to Mitigate CVE-2024-49375
Immediate Actions Required
- Upgrade Rasa to version 3.6.21 or later immediately
- Audit existing Rasa deployments to identify instances with HTTP API enabled
- Implement authentication on all Rasa API endpoints if not already configured
- Review access logs for any suspicious model loading activity prior to patching
- Restrict network access to Rasa API endpoints using firewalls or network segmentation
Patch Information
Rasa has addressed this vulnerability in version 3.6.21. All users running earlier versions with the HTTP API enabled should upgrade immediately. The security fix implements proper validation and security controls for the model loading process to prevent code injection attacks. For additional details, see the GitHub Security Advisory.
Workarounds
- Disable the HTTP API by removing the --enable-api flag if remote model loading is not required
- Implement strong authentication using JWT tokens or API keys for all API access
- Restrict API access to trusted IP addresses only using network-level controls
- Deploy Rasa behind a reverse proxy with additional authentication layers
- Only allow model loading from trusted, verified sources and implement model integrity verification
# Configuration example - Restricting Rasa API access
# Use a reverse proxy like nginx to restrict access
# /etc/nginx/conf.d/rasa.conf
upstream rasa_backend {
server 127.0.0.1:5005;
}
server {
listen 443 ssl;
server_name rasa.internal.example.com;
# Restrict access to internal network only
allow 10.0.0.0/8;
deny all;
# Require authentication
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass http://rasa_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
