cbcvebase.
CVE-2024-5998
published 2024-09-17

CVE-2024-5998: A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to…

PriorityP342high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.36%
27.6th percentile
A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.

Affected

2 ranges
VendorProductVersion rangeFixed in
langchain-ailangchain-ai_langchain>= unspecified < 0.2.90.2.9
langchainlangchain< 0.2.90.2.9

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.05.2MEDIUMCVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.