Lucene search
GitHub Advisory DatabaseGHSA-F2JM-RW3H-6PHGHistorySep 17, 2024 - 12:30 p.m.
LangChain pickle deserialization of untrusted data
2024-09-1712:30:32
CWE-502
GitHub Advisory Database
github.com
1
langchain
faiss
vulnerability
pickle deserialization
untrusted data
arbitrary commands
os.system
software
version 0.2.10
CVSS3
5.2
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS
0
Percentile
9.6%
A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects versions prior to 0.2.4.
Affected configurations
Node
langchainlangchain-experimentalRange<0.2.4
| Vendor | Product | Version | CPE |
|---|---|---|---|
| langchain | langchain-experimental | * | cpe:2.3:a:langchain:langchain-experimental:*:*:*:*:*:*:*:* |
Related
nvd
nvd
CVE-2024-5998
2024-09-17 12:15:02
cvelist
cvelist
CVE-2024-5998 Deserialization of Untrusted Data in langchain-ai/langchain
2024-09-17 11:50:13
cve
cve
CVE-2024-5998
2024-09-17 12:15:02
osv
osv
LangChain pickle deserialization of untrusted data
2024-09-17 12:30:32
CVE-2024-5998
2024-09-17 12:15:02
vulnrichment
vulnrichment
CVE-2024-5998 Deserialization of Untrusted Data in langchain-ai/langchain
2024-09-17 11:50:13
CVSS3
5.2
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS
0
Percentile
9.6%
Related for GHSA-F2JM-RW3H-6PHG