CRITICALCVE-2024-49375CVSS 9.1

通过远程模型加载在 Rasa 中实现远程代码执行

Q: What is CVE-2024-49375 — Remote Code Execution in Rasa?

CVE-2024-49375 is a CRITICAL RCE vulnerability in Rasa versions up to 3.6.21. An attacker can execute arbitrary code by loading a malicious model via the HTTP API if it's enabled and not properly secured.

Q: Am I affected by CVE-2024-49375 in Rasa?

You are affected if you are using Rasa versions 3.6.21 or earlier and have the HTTP API enabled. Check your Rasa version and API configuration immediately.

Q: How do I fix CVE-2024-49375 in Rasa?

Upgrade to Rasa version 3.6.21 or later. If upgrading is not possible, disable the HTTP API and implement strong authentication.

Q: Is CVE-2024-49375 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's severity and ease of exploitation suggest a potential for future attacks.

Q: Where can I find the official Rasa advisory for CVE-2024-49375?

Refer to the official Rasa security advisory on their website for detailed information and updates: [https://rasa.com/docs/rasa/security/](https://rasa.com/docs/rasa/security/)

平台

python

组件

rasa

修复版本

3.6.22

AI Confidence: highNVDEPSS 3.3%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2024-49375 describes a Remote Code Execution (RCE) vulnerability within the Rasa open-source machine learning framework. An attacker can achieve RCE by remotely loading a maliciously crafted model into a Rasa instance. This vulnerability affects versions of Rasa up to and including 3.6.21, and a patch is available in version 3.6.21.

Python

检测此 CVE 是否影响你的项目

上传你的 requirements.txt 文件，立即知道是否受影响。

上传 requirements.txt支持的格式: requirements.txt · Pipfile.lock

影响与攻击场景翻译中…

Successful exploitation of CVE-2024-49375 allows an attacker to execute arbitrary code on the Rasa server with the privileges of the Rasa process. This could lead to complete system compromise, data exfiltration, or denial of service. The prerequisites for exploitation are the enabling of the HTTP API (using --enable-api) and, in the unauthenticated case, a lack of security controls. Authentication is required for authenticated RCE, necessitating a valid authentication token.

利用背景翻译中…

CVE-2024-49375 was published on 2025-01-14. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). Public proof-of-concept exploits are currently unknown, but the ease of exploitation given the prerequisites suggests a potential for rapid exploitation if widely publicized. It is not currently listed on CISA KEV.

哪些人处于风险中翻译中…

Organizations deploying Rasa for conversational AI applications are at risk, particularly those with the HTTP API enabled and lacking proper authentication. Shared hosting environments where multiple Rasa instances share resources are also at increased risk, as a compromise of one instance could potentially lead to compromise of others.

检测步骤翻译中…

• python / server:

import subprocess
result = subprocess.run(['rasa', '--version'], capture_output=True, text=True)
if result.stdout.startswith('Rasa==3.6'):
    print('Vulnerable version detected!')

• python / server: Check for the --enable-api flag in Rasa startup scripts or configuration files. • generic web: Monitor access logs for unusual POST requests to the /webhooks/rest/webhook endpoint. • generic web: Check Rasa server configuration for authentication settings and ensure they are properly configured.

攻击时间线

2025-01-14Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

3.29% (87% 百分位)

CISA SSVC

利用情况none

可自动化yes

技术影响total

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 高 — 完全崩溃或资源耗尽，完全拒绝服务。

受影响的软件

组件rasa

供应商RasaHQ

影响范围修复版本

< 3.6.21 – < 3.6.213.6.22

弱点分类 (CWE)

CWE-94 CWE-502

时间线

已保留2024-10-14
发布日期2025-01-14
修改日期2025-01-15
EPSS 更新日期2026-04-02

披露后0天发布补丁

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2024-49375 is to upgrade Rasa to version 3.6.21 or later. If upgrading is not immediately feasible, disable the HTTP API by not using the --enable-api flag during Rasa server startup. Implement robust authentication and authorization mechanisms to restrict access to the API. Monitor Rasa server logs for suspicious activity, particularly related to model loading and API requests. Consider using a Web Application Firewall (WAF) to filter malicious requests.

修复方法

升级 Rasa 到 3.6.21 或更高版本。如果无法升级，请确保启用身份验证并限制访问仅限于可信用户。如果不需要，请禁用 HTTP API。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-49375 — Remote Code Execution in Rasa?

CVE-2024-49375 is a CRITICAL RCE vulnerability in Rasa versions up to 3.6.21. An attacker can execute arbitrary code by loading a malicious model via the HTTP API if it's enabled and not properly secured.

Am I affected by CVE-2024-49375 in Rasa?

You are affected if you are using Rasa versions 3.6.21 or earlier and have the HTTP API enabled. Check your Rasa version and API configuration immediately.

How do I fix CVE-2024-49375 in Rasa?

Upgrade to Rasa version 3.6.21 or later. If upgrading is not possible, disable the HTTP API and implement strong authentication.

Is CVE-2024-49375 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's severity and ease of exploitation suggest a potential for future attacks.

Where can I find the official Rasa advisory for CVE-2024-49375?

Refer to the official Rasa security advisory on their website for detailed information and updates: [https://rasa.com/docs/rasa/security/](https://rasa.com/docs/rasa/security/)

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE