A vulnerability in the `FAISS.deserialize_from_bytes` function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the `os.system` function. The issue affects versions prior to 0.2.4.

Affected Packages

PyPI langchain-community

Affected versions: 0 (fixed in 0.2.4)

Related CVEs

CVE-2024-5998

Key Information

GHSA ID

GHSA-f2jm-rw3h-6phg

Published

September 17, 2024 12:30 PM

Last Modified

November 18, 2024 4:27 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

langchain-community

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 16, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.