Miggo Logo
Miggo Vulnerability Database
CVE-2024-6961

CVE-2024-6961: Guardrails AI vulnerable to Improper Restriction of XML External Entity Reference

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-6961
GHSA ID
GHSA-f8hx-f4xw-c646
EPSS Score
0.09618%
CWE
CWE-611
Published
7/21/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
guardrails-aipip< 0.5.00.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from XML parsing without disabling external entity resolution. The commit diff shows both locations used ET.XMLParser without 'resolve_entities=False':

  1. In constants_container.py, the fill_constants method reads external XML files
  2. In rail_schema.py, rail_string_to_schema processes user-provided RAIL strings Both functions parse untrusted XML input and were patched by adding resolve_entities=False to their XML parsers, directly addressing the XXE vulnerability. The PoC demonstrates exploitation through RAIL document processing, confirming these are the entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*IL *o*um*nts *r* *n XML-**s** *orm*t inv*nt** *y *u*r*r*ils *I to *n*or** *orm*ttin* ****ks on LLM outputs. *u*r*r*ils us*rs t**t *onsum* R*IL *o*um*nts *rom *xt*rn*l sour**s *r* vuln*r**l* to XX*, w*i** m*y **us* l**k*** o* int*rn*l *il* **t* vi*

Reasoning

T** vuln*r**ility st*ms *rom XML p*rsin* wit*out *is**lin* *xt*rn*l *ntity r*solution. T** *ommit *i** s*ows *ot* lo**tions us** *T.XMLP*rs*r wit*out 'r*solv*_*ntiti*s=**ls*': *. In *onst*nts_*ont*in*r.py, t** *ill_*onst*nts m*t*o* r***s *xt*rn*l XML