CVE-2024-5998 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2024-5998?

CVE-2024-5998 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-5998?

Check the references section above for vendor advisories and patch information. Affected products include: Langchain Langchain.

Vulnerability Description

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Langchain	Langchain	< 0.2.9

Related Weaknesses (CWE)

CWE-502

References

https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63Patch
https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28feExploitThird Party Advisory

FAQ

What is CVE-2024-5998?

CVE-2024-5998 is a vulnerability with a CVSS score of 7.8 (HIGH). A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the...

How severe is CVE-2024-5998?

CVE-2024-5998 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-5998?

Check the references section above for vendor advisories and patch information. Affected products include: Langchain Langchain.