Haystack Vulnerability Allows Remote Code Execution
CVE-2024-41950

7.5HIGH

Key Information:

Vendor
Deepset-ai
Status
Haystack
Vendor
CVE Published:
31 July 2024

Summary

The Haystack framework, developed by Deepset AI, is designed for building applications with large language models (LLMs) and Transformer architectures, facilitating features like vector searches. A significant vulnerability exists where clients allowing users to create and run Pipelines from scratch are at risk. This arises from the misuse of Jinja2 templates; if a malicious actor can create and render these templates on a client machine, they gain the ability to execute arbitrary code. To address this security flaw, users are advised to upgrade to Haystack version 2.3.1, which includes necessary fixes to eliminate this vulnerability.

Affected Version(s)

haystack < 2.3.1

References

https://github.com/deepset-ai/haystack/security/advisorie...
x_refsource_CONFIRM
https://github.com/deepset-ai/haystack/pull/8095
x_refsource_MISC
https://github.com/deepset-ai/haystack/pull/8096
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.