CVE-2024-45858 (GCVE-0-2024-45858)
Vulnerability from cvelistv5 – Published: 2024-09-18 15:02 – Updated: 2024-09-18 17:45
VLAI
EPSS
VEX
Summary
An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user's machine.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Guardrails AI | guardrails |
Affected:
0.2.9 , < 0.5.10
(semver)
|
|
| guardrailsai | guardrails |
Affected:
0.2.9 , ≤ 0.5.10
(semver)
cpe:2.3:a:guardrailsai:guardrails:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:guardrailsai:guardrails:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "guardrails",
"vendor": "guardrailsai",
"versions": [
{
"lessThanOrEqual": "0.5.10",
"status": "affected",
"version": "0.2.9",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45858",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T17:41:44.763730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T17:45:44.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "guardrails",
"repo": "https://github.com/guardrails-ai/guardrails",
"vendor": "Guardrails AI",
"versions": [
{
"lessThan": "0.5.10",
"status": "affected",
"version": "0.2.9",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine."
}
],
"value": "An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine."
}
],
"impacts": [
{
"capecId": "CAPEC-35",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-35 Leverage Executable Code in Non-Executable Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u2018Eval Injection\u2019)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:02:17.891Z",
"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"shortName": "HiddenLayer"
},
"references": [
{
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-guardrails/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"assignerShortName": "HiddenLayer",
"cveId": "CVE-2024-45858",
"datePublished": "2024-09-18T15:02:17.891Z",
"dateReserved": "2024-09-10T15:36:55.926Z",
"dateUpdated": "2024-09-18T17:45:44.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-45858",
"date": "2026-07-15",
"epss": "0.00375",
"percentile": "0.29673"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de ejecuci\\u00f3n de c\\u00f3digo arbitrario en las versiones 0.2.9 a 0.5.10 del framework Guardrails AI Guardrails debido a la forma en que valida los archivos XML. Si un usuario v\\u00edctima carga un archivo XML manipulado con fines malintencionados que contiene c\\u00f3digo Python, el c\\u00f3digo se pasar\\u00e1 a una funci\\u00f3n eval, lo que provocar\\u00e1 su ejecuci\\u00f3n en la m\\u00e1quina del usuario.\"}]",
"id": "CVE-2024-45858",
"lastModified": "2024-09-20T12:30:17.483",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"6f8de1f0-f67e-45a6-b68f-98777fdb759c\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
"published": "2024-09-18T15:15:16.333",
"references": "[{\"url\": \"https://hiddenlayer.com/sai-security-advisory/2024-09-guardrails/\", \"source\": \"6f8de1f0-f67e-45a6-b68f-98777fdb759c\"}]",
"sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"6f8de1f0-f67e-45a6-b68f-98777fdb759c\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-95\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45858\",\"sourceIdentifier\":\"6f8de1f0-f67e-45a6-b68f-98777fdb759c\",\"published\":\"2024-09-18T15:15:16.333\",\"lastModified\":\"2026-06-17T07:54:58.557\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en las versiones 0.2.9 a 0.5.10 del framework Guardrails AI Guardrails debido a la forma en que valida los archivos XML. Si un usuario v\u00edctima carga un archivo XML manipulado con fines malintencionados que contiene c\u00f3digo Python, el c\u00f3digo se pasar\u00e1 a una funci\u00f3n eval, lo que provocar\u00e1 su ejecuci\u00f3n en la m\u00e1quina del usuario.\"}],\"affected\":[{\"source\":\"6f8de1f0-f67e-45a6-b68f-98777fdb759c\",\"affectedData\":[{\"vendor\":\"Guardrails AI\",\"product\":\"guardrails\",\"defaultStatus\":\"unaffected\",\"repo\":\"https://github.com/guardrails-ai/guardrails\",\"versions\":[{\"version\":\"0.2.9\",\"lessThan\":\"0.5.10\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"affectedData\":[{\"vendor\":\"guardrailsai\",\"product\":\"guardrails\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:2.3:a:guardrailsai:guardrails:*:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"0.2.9\",\"lessThanOrEqual\":\"0.5.10\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"6f8de1f0-f67e-45a6-b68f-98777fdb759c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-09-18T17:41:44.763730Z\",\"id\":\"CVE-2024-45858\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"6f8de1f0-f67e-45a6-b68f-98777fdb759c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-95\"}]}],\"references\":[{\"url\":\"https://hiddenlayer.com/sai-security-advisory/2024-09-guardrails/\",\"source\":\"6f8de1f0-f67e-45a6-b68f-98777fdb759c\"}]}}",
"redhat_vex": {
"current_release_date": "2025-05-28T18:44:27+00:00",
"cve": "CVE-2024-45858",
"id": "CVE-2024-45858",
"initial_release_date": "2024-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "CVE-2024-45858",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-45858.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45858\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-18T17:41:44.763730Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:guardrailsai:guardrails:*:*:*:*:*:*:*:*\"], \"vendor\": \"guardrailsai\", \"product\": \"guardrails\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.2.9\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.5.10\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-18T17:45:37.986Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-35\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-35 Leverage Executable Code in Non-Executable Files\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/guardrails-ai/guardrails\", \"vendor\": \"Guardrails AI\", \"product\": \"guardrails\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.2.9\", \"lessThan\": \"0.5.10\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://hiddenlayer.com/sai-security-advisory/2024-09-guardrails/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-95\", \"description\": \"CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\\u2018Eval Injection\\u2019)\"}]}], \"providerMetadata\": {\"orgId\": \"6f8de1f0-f67e-45a6-b68f-98777fdb759c\", \"shortName\": \"HiddenLayer\", \"dateUpdated\": \"2024-09-18T15:02:17.891Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45858\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-18T17:45:44.580Z\", \"dateReserved\": \"2024-09-10T15:36:55.926Z\", \"assignerOrgId\": \"6f8de1f0-f67e-45a6-b68f-98777fdb759c\", \"datePublished\": \"2024-09-18T15:02:17.891Z\", \"assignerShortName\": \"HiddenLayer\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…