Skip to content

LangChain pickle deserialization of untrusted data

Moderate severity GitHub Reviewed Published Sep 17, 2024 to the GitHub Advisory Database • Updated Sep 20, 2024

Package

pip langchain-community (pip)

Affected versions

< 0.2.4

Patched versions

0.2.4

Description

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects versions prior to 0.2.4.

References

Published by the National Vulnerability Database Sep 17, 2024
Published to the GitHub Advisory Database Sep 17, 2024
Reviewed Sep 17, 2024
Last updated Sep 20, 2024

Severity

Moderate

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-5998

GHSA ID

GHSA-f2jm-rw3h-6phg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.