CVE-2024-49375

CriticalRCE

Published: 14 January 2025

Published

14 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0335 87.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49375 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: Exploit Public-Facing Application (AML.T0049), Model (AML.T0010.003), Command and Scripting Interpreter (AML.T0050).

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). AI-specific risk: MITRE ATLAS Exploit Public-Facing Application (AML.T0049) plus 2 more. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the RCE vulnerability by requiring timely patching to Rasa version 3.6.21, eliminating the deserialization flaw.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization on the HTTP API to block unauthorized loading of malicious models.

SI-10 Information Input Validation partial match

prevent

Validates uploaded model inputs to detect and reject malicious deserialization payloads exploiting CWE-502.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution by loading a maliciously crafted model via the exposed HTTP API in Rasa, facilitating exploitation of a public-facing application.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

NVD Description

Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this…

are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access.

Deeper analysisAI

CVE-2024-49375 is a critical remote code execution (RCE) vulnerability (CVSS 3.1 score of 9.0; AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting Rasa, an open-source machine learning framework for building conversational AI assistants. The flaw, linked to CWE-94 (code injection) and CWE-502 (deserialization of untrusted data), arises when a maliciously crafted model is loaded remotely into a Rasa instance via its HTTP API. This API must be explicitly enabled (e.g., via the `--enable-api` flag), which is not the default configuration.

Exploitation requires an attacker to upload or load a specially crafted model through the Rasa HTTP API. For unauthenticated RCE, the instance must lack any authentication or recommended security controls. Authenticated exploitation demands a valid authentication token or JWT, allowing the attacker to interact with the API. Successful exploitation grants full RCE on the host, potentially leading to complete compromise including high confidentiality, integrity, and availability impacts in a networked scope.

The Rasa security advisory (GHSA-cpv4-ggrr-7j9v) confirms the issue is patched in version 3.6.21, urging all users to upgrade immediately. For those unable to update, mitigations include mandating authentication on the API and restricting access to trusted users only, preventing unauthorized model loading.

This vulnerability is particularly relevant to AI/ML deployments, as Rasa powers automated conversational systems often exposed in production environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-01-14.

Details

CWE(s): CWE-94 CWE-502

AI Security AnalysisAI

AI Category: Enterprise AI Assistants
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Rasa is an open-source machine learning framework specifically designed for building conversational AI assistants and chatbots, fitting the Enterprise AI Assistants category.

CVEs Like This One

CVE-2026-35171Shared CWE-502, CWE-94

CVE-2024-55241Shared CWE-94

CVE-2025-67617Shared CWE-502

CVE-2026-2020Shared CWE-502

CVE-2025-49386Shared CWE-502

CVE-2025-23209Shared CWE-94

CVE-2026-39440Shared CWE-94

CVE-2026-23549Shared CWE-502

CVE-2026-27971Shared CWE-502

CVE-2025-59287Shared CWE-502

References

https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-cpv4-ggrr-7j9v
security-advisories@github.com