Cyber Resilience

CVE-2024-49375

CriticalRCE

Published: 14 January 2025

Published
14 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0448 89.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49375 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: Exploit Public-Facing Application (AML.T0049), Model (AML.T0010.003), Command and Scripting Interpreter (AML.T0050).

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-49375 is a critical remote code execution (RCE) vulnerability (CVSS 3.1 score of 9.0; AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting Rasa, an open-source machine learning framework for building conversational AI assistants. The flaw, linked to CWE-94 (code injection) and CWE-502 (deserialization of untrusted data), arises when a maliciously crafted model is loaded remotely into a Rasa instance via its HTTP API. This API must be explicitly enabled (e.g., via the `--enable-api` flag), which is not the default configuration.

Exploitation requires an attacker to upload or load a specially crafted model through the Rasa HTTP API. For unauthenticated RCE, the instance must lack any authentication or recommended security controls. Authenticated exploitation demands a valid authentication token or JWT, allowing the attacker to interact with the API. Successful exploitation grants full RCE on the host, potentially leading to complete compromise including high confidentiality, integrity, and availability impacts in a networked scope.

The Rasa security advisory (GHSA-cpv4-ggrr-7j9v) confirms the issue is patched in version 3.6.21, urging all users to upgrade immediately. For those unable to update, mitigations include mandating authentication on the API and restricting access to trusted users only, preventing unauthorized model loading.

This vulnerability is particularly relevant to AI/ML deployments, as Rasa powers automated conversational systems often exposed in production environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-01-14.

EU & UK References

Vulnerability details

Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this…

more

are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: machine learning

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote code execution by loading a maliciously crafted model via the exposed HTTP API in Rasa, facilitating exploitation of a public-facing application.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0049: Exploit Public-Facing ApplicationAML.T0010.003: ModelAML.T0050: Command and Scripting Interpreter

CVEs Like This One

CVE-2026-35171Shared CWE-502, CWE-94
CVE-2024-55241Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2025-65037Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-60237Shared CWE-502
CVE-2025-54719Shared CWE-502
CVE-2024-57707Shared CWE-94
CVE-2025-27407Shared CWE-94
CVE-2026-40473Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE vulnerability by requiring timely patching to Rasa version 3.6.21, eliminating the deserialization flaw.

prevent

Enforces authentication and authorization on the HTTP API to block unauthorized loading of malicious models.

prevent

Validates uploaded model inputs to detect and reject malicious deserialization payloads exploiting CWE-502.

References