Summary: A critical-severity vulnerability (CVE-2024-49375) has been discovered in the Rasa framework, allowing attackers to achieve Remote Code Execution (RCE) through malicious model loading. This flaw affects both Rasa Pro and Rasa Open Source, with a CVSS score of 9.1, and is exploitable in scenarios with or without authentication. Rasa has released patches and recommends users to upgrade to secure their systems against this vulnerability.
Threat Actor: Unknown | unknown
Victim: Rasa | Rasa
Keypoints :
- A critical vulnerability allows Remote Code Execution via the Rasa HTTP API.
- Two exploitation scenarios: Unauthenticated RCE and Authenticated RCE.
- Users are urged to upgrade to specific patched versions and implement security measures.