Rasa Allows Remote Code Execution via Remote Model Loading
Vulnerability A vulnerability has been identified in Rasa Pro and Rasa Open Source that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: The HTTP API must be enabled on the Rasa instance eg with –enable-api. This is not the default configuration. For unauthenticated RCE to be exploitable, the user must …