Haystack Vulnerability Allows Remote Code Execution
CVE-2024-41950

7.5HIGH

Key Information:

Vendor: Deepset-ai
Status: Haystack
Vendor: CVE Published:; 31 July 2024

What is CVE-2024-41950?

The Haystack framework, developed by Deepset AI, is designed for building applications with large language models (LLMs) and Transformer architectures, facilitating features like vector searches. A significant vulnerability exists where clients allowing users to create and run Pipelines from scratch are at risk. This arises from the misuse of Jinja2 templates; if a malicious actor can create and render these templates on a client machine, they gain the ability to execute arbitrary code. To address this security flaw, users are advised to upgrade to Haystack version 2.3.1, which includes necessary fixes to eliminate this vulnerability.

Affected Version(s)

haystack < 2.3.1

References

https://github.com/deepset-ai/haystack/security/advisorie...

x_refsource_CONFIRM

https://github.com/deepset-ai/haystack/pull/8095

x_refsource_MISC

https://github.com/deepset-ai/haystack/pull/8096

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2024
Vulnerability Reserved
Jul 24, 2024

Deepset-ai

What is CVE-2024-41950?

Affected Version(s)

References

CVSS V3.1

Timeline