CVE-2024-5998
published 2024-09-17CVE-2024-5998: A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to…
PriorityP342high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.36%
27.6th percentile
A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain-ai_langchain | >= unspecified < 0.2.9 | 0.2.9 |
| langchain | langchain | < 0.2.9 | 0.2.9 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.05.2MEDIUMCVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LangChain pickle deserialization of untrusted data
ghsa·2024-09-17
CVE-2024-5998 [HIGH] CWE-502 LangChain pickle deserialization of untrusted data
LangChain pickle deserialization of untrusted data
A vulnerability in the `FAISS.deserialize_from_bytes` function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the `os.system` function. The issue affects versions prior to 0.2.4.
OSV
LangChain pickle deserialization of untrusted data
osv·2024-09-17
CVE-2024-5998 [HIGH] LangChain pickle deserialization of untrusted data
LangChain pickle deserialization of untrusted data
A vulnerability in the `FAISS.deserialize_from_bytes` function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the `os.system` function. The issue affects versions prior to 0.2.4.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-17
Published