A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
The attacker sends a crafted HTTP request to the endpoint /api/v2/tenants/{tenant}/databases/{db}/collections, providing a malicious model repository along with the trust_remote_code parameter set to true. ChromaDB loads and executes code contained in the external model repository without verifying the identity of the caller. As a result, any code supplied by the attacker is executed in the context of the server process.
An unauthenticated attacker gains the ability to execute arbitrary code on the server (RCE), which can lead to complete system compromise, data theft, and further lateral movement in the infrastructure.
Patches available from the vendor should be applied according to the references. Until the fix is deployed, it is recommended to restrict network access to ChromaDB instances only to trusted hosts and monitor requests directed to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint for the presence of the trust_remote_code parameter.
ChromaDB Python project in version 1.0.0 and later
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X