{"data":{"id":"362b9e4c-ecdc-49e0-a1ad-8dccc481881a","title":"CVE-2024-5998: A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization","summary":"A vulnerability in langchain's FAISS.deserialize_from_bytes function allows deserialization of untrusted data using pickle (a Python library that converts data into a format that can be stored or transmitted), which can lead to arbitrary command execution through the os.system function. This affects the latest version of the product and is classified as CWE-502 (deserialization of untrusted data).","solution":"A patch is available at https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-5998","publishedAt":"2024-09-17T16:15:02.977Z","cveId":"CVE-2024-5998","cweIds":["CWE-502"],"cvssScore":"7.8","cvssSeverity":"high","severity":"high","attackType":["model_theft","data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain","langchain-ai/langchain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0009,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}