GHSA-f2jm-rw3h-6phg

Source

https://github.com/advisories/GHSA-f2jm-rw3h-6phg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-f2jm-rw3h-6phg/GHSA-f2jm-rw3h-6phg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-f2jm-rw3h-6phg

Aliases

CVE-2024-5998

Published

2024-09-17T12:30:32Z

Modified

2025-07-30T19:34:09.067831Z

Severity

5.2 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

LangChain pickle deserialization of untrusted data

Details

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects versions prior to 0.2.4.

Database specific

{
    "github_reviewed_at": "2024-09-17T21:23:31Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "nvd_published_at": "2024-09-17T12:15:02Z",
    "github_reviewed": true,
    "severity": "HIGH"
}

References

Affected packages

PyPI / langchain-community

Package

Name: langchain-community; View open source insights on deps.dev
Purl: pkg:pypi/langchain-community

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.4

Affected versions

0.*

0.0.1rc1

0.0.1rc2

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.20

0.0.21

0.0.22

0.0.23

0.0.24

0.0.25

0.0.26

0.0.27

0.0.28

0.0.29

0.0.30

0.0.31

0.0.32

0.0.33

0.0.34

0.0.35

0.0.36

0.0.37

0.0.38

0.2.0rc1

0.2.0

0.2.1

0.2.2

0.2.3