logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-32377 rasa-pro

Package

Manager: pip
Name: rasa-pro
Vulnerable Version: >=3.12.0 <3.12.6 || >=3.11.0 <3.11.7 || >=3.10.0 <3.10.19 || >=0 <3.9.20

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00097 pctl0.27714

Details

Rasa Pro Missing Authentication For Voice Connector APIs ## Vulnerability A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is configured in the `credentials.yml` file. This could allow an attacker to submit voice data to the Rasa Pro assistant from an unauthenticated source. This impacts the following connectors: - `audiocodes_stream` - `genesys` - `jambonz` As part of our investigation to resolve this issue, we have also performed a security review of our other voice channel connectors: - `browser_audio`: Does not support authentication. This is a development channel not intended for production use. - `twilio_media_streams`, `twilio_voice` and `jambonz`: Authentication is currently not supported by these channels, but our investigation has found a way for us to enable it for these voice channel connectors in a future Rasa Pro release. ## Fix The issue has been resolved for `audiocodes`, `audiocodes_stream`, and `genesys` connectors. Fixed versions of Rasa Pro have been released for `3.9.20`, `3.10.19`, `3.11.7` and `3.12.6`. Please update to a fixed release. If you are using one of the affected connectors, we strongly recommend upgrading to a fixed version. For connectors where authentication is not supported (e.g., Twilio), we suggest taking extra caution and considering other compensating controls if applicable.

Metadata

Created: 2025-04-17T18:33:20Z
Modified: 2025-04-23T14:34:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-7xq5-54jp-2mfg/GHSA-7xq5-54jp-2mfg.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-7xq5-54jp-2mfg
Finding: F006
Auto approve: 1