CVE-2024-45858: Guardrails has an arbitrary code execution vulnerability

September 18, 2024

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user’s machine.

References

github.com/advisories/GHSA-w392-75q8-vr67
github.com/guardrails-ai/guardrails
github.com/guardrails-ai/guardrails/commit/ab12701e8c3ef41273ff9b3912f2e4e28ae8306f
hiddenlayer.com/sai-security-advisory/2024-09-guardrails
nvd.nist.gov/vuln/detail/CVE-2024-45858

Detect and mitigate CVE-2024-45858 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →