CVE-2024-5998

CVSS V2 None CVSS V3 None

Description

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.

Overview

CVE ID
CVE-2024-5998

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-09-17T11:50:13.813Z

Last Modified Date
2024-09-17T13:34:15.648Z

Weakness Enumerations

CWE	URL
CWE-502	http://cwe.mitre.org/data/definitions/502.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe
https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-5998
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5998

History

Created	Old Value	New Value	Data Type	Notes
2024-10-06 02:29:51				Added to TrackCVE