How the Attack Works
A severe security flaw in ChromaDB, an open-source vector database widely used in AI applications, allows unauthenticated attackers to execute arbitrary code on exposed servers. The vulnerability, discovered by researchers at HiddenLayer, affects the Python FastAPI version of the project and has been assigned the highest possible severity score. The issue involves an API endpoint that is marked as authenticated but performs model loading before checking credentials. Attackers can send a specially crafted request that forces ChromaDB to fetch and execute a malicious model from the Hugging Face platform. The authentication check only occurs after the model has already been loaded and run, rendering the security control useless.
Exposure and Mitigation
ChromaDB is a popular choice for AI retrieval tasks, helping large language models find relevant documents during inference. The PyPI package is downloaded nearly 14 million times each month. According to Shodan scans, roughly 73 percent of internet exposed ChromaDB instances are running a vulnerable version. The flaw was introduced in version 1.0.0 and remained unpatched through version 1.5.8. While the maintainer recently released version 1.5.9, it is not yet clear whether the issue has been addressed. Users are advised to deploy the Rust frontend instead, avoid exposing the Python server over HTTP, or restrict network access to the API port. Researchers also recommend scanning machine learning model artifacts before runtime, as loading public models with trusted remote code enabled is equivalent to executing untrusted code.
Source: BleepingComputer
