GHSA-f2jm-rw3h-6phg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f2jm-rw3h-6phg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-f2jm-rw3h-6phg/GHSA-f2jm-rw3h-6phg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f2jm-rw3h-6phg
- Aliases
- Published
- 2024-09-17T12:30:32Z
- Modified
- 2024-11-20T05:24:25.241001Z
- Severity
-
- 5.2 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
- 8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- LangChain pickle deserialization of untrusted data
- Details
-
A vulnerability in the
FAISS.deserialize_from_bytesfunction of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via theos.systemfunction. The issue affects versions prior to 0.2.4. - Database specific
{ "nvd_published_at": "2024-09-17T12:15:02Z", "cwe_ids": [ "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-09-17T21:23:31Z" }- References
Affected packages
PyPI / langchain-community
Package
- Name
- langchain-community
- View open source insights on deps.dev
- Purl
- pkg:pypi/langchain-community
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.2.4
Affected versions
0.*
0.0.1rc1
0.0.1rc2
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.2.0rc1
0.2.0
0.2.1
0.2.2
0.2.3