Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/rasa@0.0.1
Typepypi
Namespace
Namerasa
Version0.0.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.6.21
Latest_non_vulnerable_version3.7.0b1
Affected_by_vulnerabilities
0
url VCID-1wzv-4u1d-kqc4
vulnerability_id VCID-1wzv-4u1d-kqc4
summary Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-49375
reference_id
reference_type
scores
0
value 0.04476
scoring_system epss
scoring_elements 0.89345
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-49375
1
reference_url https://github.com/rasahq/rasa
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rasahq/rasa
2
reference_url https://github.com/RasaHQ/rasa/commit/2bb1d779d4f4acaf70b6dfa35dd1899dccbb1ae6
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/RasaHQ/rasa/commit/2bb1d779d4f4acaf70b6dfa35dd1899dccbb1ae6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-49375
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-49375
4
reference_url https://github.com/advisories/GHSA-cpv4-ggrr-7j9v
reference_id GHSA-cpv4-ggrr-7j9v
reference_type
scores
url https://github.com/advisories/GHSA-cpv4-ggrr-7j9v
5
reference_url https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-cpv4-ggrr-7j9v
reference_id GHSA-cpv4-ggrr-7j9v
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-15T15:17:08Z/
url https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-cpv4-ggrr-7j9v
fixed_packages
0
url pkg:pypi/rasa@3.6.21
purl pkg:pypi/rasa@3.6.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/rasa@3.6.21
1
url pkg:pypi/rasa@3.7.0b1
purl pkg:pypi/rasa@3.7.0b1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/rasa@3.7.0b1
aliases CVE-2024-49375, GHSA-cpv4-ggrr-7j9v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1wzv-4u1d-kqc4
1
url VCID-ph7u-xzm9-ckb1
vulnerability_id VCID-ph7u-xzm9-ckb1
summary Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-41127
reference_id
reference_type
scores
0
value 0.00396
scoring_system epss
scoring_elements 0.60819
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-41127
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/rasa/PYSEC-2021-381.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/rasa/PYSEC-2021-381.yaml
2
reference_url https://github.com/RasaHQ/rasa
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/RasaHQ/rasa
3
reference_url https://github.com/RasaHQ/rasa/commit/1b6b502f52d73b4f8cd1959ce724b8ad0eb33989
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/RasaHQ/rasa/commit/1b6b502f52d73b4f8cd1959ce724b8ad0eb33989
4
reference_url https://github.com/RasaHQ/rasa/security/advisories/GHSA-4365-fhm5-qcrx
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/RasaHQ/rasa/security/advisories/GHSA-4365-fhm5-qcrx
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-41127
reference_id CVE-2021-41127
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2021-41127
6
reference_url https://github.com/advisories/GHSA-4365-fhm5-qcrx
reference_id GHSA-4365-fhm5-qcrx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4365-fhm5-qcrx
fixed_packages
0
url pkg:pypi/rasa@2.8.10
purl pkg:pypi/rasa@2.8.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1wzv-4u1d-kqc4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/rasa@2.8.10
aliases CVE-2021-41127, GHSA-4365-fhm5-qcrx, PYSEC-2021-381
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ph7u-xzm9-ckb1
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/rasa@0.0.1