Security Update & Information

We’d like to update you on Rasa’s new process to remediate and disclose security vulnerabilities.

As part of our investment in the security and safety of Rasa, we will be publishing and documenting Common Vulnerabilities and Exposure IDs (CVEs) and security advisories. These CVE IDs and security advisories will be published on Github. Rasa Open Source security advisories can be found here, and those for Rasa X can be found here. Going forward, we’ll publish details of any security vulnerabilities as advisories in those repositories.

Along with this announcement, we’d like to draw your attention to the following CVEs:

  • IDs: CVE-2021-41127 (Rasa Open Source), CVE-2021-42556 (Rasa X)
  • Summary: An Archive Extraction (Zip Slip) vulnerability in the model archive upload functionality. Detailed security advisories are published for Rasa Open Source and Rasa X.
  • Solution: Fixes have been released in Rasa Open Source version 2.8.10 and in Rasa X version 0.42.4, and will be included in all newer versions. Mitigating steps are to restrict CLI or API endpoint access where an internal malicious actor could target a deployed Rasa instance.

This process to disclose vulnerabilities publicly illustrates our commitment to the security of our users and people who build with Rasa. We’ll do our best to answer any questions that you may have about this.

12 Likes