XSS via chat information tooltip
A pickle deserialization vulnerability in the FAISS.deserialize_from_bytes function of the latest version of the software allows attackers to execute arbitrary commands. This issue was patched in version 0.2.9.
Available publicly on Sep 17 2024 | Available with Premium on Jul 25 2024
Remediation Steps
- Update to version 0.2.9 or later.
- Avoid deserializing untrusted data using pickle.
- Implement input validation and sanitization to ensure only trusted data is deserialized.
- Consider using safer serialization formats such as JSON or Protocol Buffers.
Patch Details
- Fixed Version: 0.2.9
- Patch Commit: https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.