ChromaDB Pre-Auth RCE: Unauthenticated Remote Code Execution via Embedding Function Instantiation

ChromaToast Served Pre-Auth Vulnerability Summary Vulnerability Overview The Python FastAPI server for ChromaDB can instantiate user-controlled embedding function settings before checking access permissions. This allows unauthenticated attackers to trigger Remote Code Execution (RCE) via the HTTP API. Core Issues: The vulnerability was introduced in version 1.0.0 and remains unfixed as of version 1.5.8. 73% of ChromaDB instances discovered on the internet are running vulnerable versions. The vulnerability involves a combination of two independent flaws: 1. The server unconditionally trusts model identifiers provided by the client. 2. The server executes the request before validating the user. Technical Details: An attacker can achieve Remote Code Execution without providing credentials by sending a collection creation request to the unauthenticated endpoint. The only requirement is setting the parameter to . The server downloads and executes the model from HuggingFace before performing authentication checks. Timing issue: Model loading occurs prior to the authentication check. Impact Scope Affected Versions: ChromaDB 1.0.0 and later (unfixed as of 1.5.8) Affected Instances: 73% of ChromaDB instances discovered on the internet are running vulnerable versions. Impacted Components: - Embedding function configuration - Model name and its parameters - Everything accessible to the server process: environment variables, API keys, mounted secrets, and all data on disk Dangerous Invocation Examples: Remediation Recommended Mitigations: 1. Use the Rust-based Deployment Path (Chroma runs on Rust; Docker Hub images since version 1.0) - Bypasses the Python FastAPI server. - The Rust frontend is unaffected. 2. Restrict Network Access - If running the Python FastAPI server, restrict network access to ChromaDB ports to trusted clients only. Code Fix Suggestions: Move authentication checks before configuration loading. Strip any key named from the handlers in both V1 and V2. PoC Code: Root Cause: The server unconditionally trusts model identifiers provided by the client. The server executes requests before validating the user. Malicious code packages have characteristics identifiable in model files, but scanning model artifacts before they reach any runtime is a practical method to capture them.

Goal Reached Thanks to every supporter — we hit 100%!

ChromaDB Pre-Auth RCE: Unauthenticated Remote Code Execution via Embedding Function Instantiation