Julian Scheid

**Name of the Vulnerable Software and Affected Versions** Rasa versions prior to 3.6.21 Rasa Pro versions prior to 3.8.18, 3.9.16, 3.10.12 **Description** A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance, for example, with `--enable-api`. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in the documentation. 3. For authenticated RCE, the attacker must possess a valid authentication token or JWT to interact with the Rasa API. **Recommendations** For Rasa versions prior to 3.6.21, upgrade to version 3.6.21 or later. For Rasa Pro versions prior to 3.8.18, 3.9.16, 3.10.12, upgrade to version 3.8.18, 3.9.16, 3.10.12 or later. As a temporary workaround, consider enabling authentication for the Rasa HTTP API and ensuring that only trusted users are given access. Restrict access to the Rasa API to minimize the risk of exploitation by only loading models from trusted sources and confirming sufficient access controls. Ensure that you utilize the principle of least privilege to control who in your organization has the ability to interact with the Rasa API even with authentication enabled.