PyPI: langchain-community
CVE-2024-5998
Safety vulnerability ID: SFTY-20240917-94943
Safety legacy ID: pyup.io-73298
Affected versions of the langchain package are vulnerable to Deserialization of Untrusted Data due to unsafe pickle deserialization in the FAISS vector store implementation. The FAISS.deserialize_from_bytes function directly deserializes pickle data without proper validation, allowing arbitrary Python objects to be reconstructed and executed during the deserialization process.
Overview
LangChain pickle deserialization of untrusted data
Advisory
Affected versions of the langchain package are vulnerable to Deserialization of Untrusted Data due to unsafe pickle deserialization in the FAISS vector store implementation. The FAISS.deserialize_from_bytes function directly deserializes pickle data without proper validation, allowing arbitrary Python objects to be reconstructed and executed during the deserialization process.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240917-94943/CVE-2024-5998
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5998
- https://github.com/advisories/GHSA-f2jm-rw3h-6phg
- https://github.com/langchain-ai/langchain/commit/77209f315efd13442ec51c67719ba37dfaa44511
- https://nvd.nist.gov/vuln/detail/CVE-2024-5998
- https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe
- https://github.com/langchain-ai/langchain/commit/77209f315efd13442ec51c67719ba37dfaa44511
- https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7
- https://github.com/advisories/GHSA-f2jm-rw3h-6phg
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more