CVE-2024-5998: LangChain pickle deserialization of untrusted data
(updated )
A vulnerability in the FAISS.deserialize_from_bytes
function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system
function. The issue affects versions prior to 0.2.4.
References
Detect and mitigate CVE-2024-5998 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →