CVE-2024-6961 MEDIUM

CVE-2024-6961: XXE in Guardrails AI when consuming RAIL documents

Weakness CWE-611 · XXE

Published July 21, 2024

Last update November 25, 2024

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity.

Key dates

Disclosure timeline

July 21, 2024 CVE published

November 25, 2024 Record updated