Medium

langchain

XSS via chat information tooltip

A pickle deserialization vulnerability in the FAISS.deserialize_from_bytes function of the latest version of the software allows attackers to execute arbitrary commands. This issue was patched in version 0.2.9.

Available publicly on Sep 17 2024

5.2

CVSS:

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

Credit:

cn-panda
Remediation Steps
  • Update to version 0.2.9 or later.
  • Avoid deserializing untrusted data using pickle.
  • Implement input validation and sanitization to ensure only trusted data is deserialized.
  • Consider using safer serialization formats such as JSON or Protocol Buffers.
Patch Details
  • Fixed Version: 0.2.9
  • Patch Commit: https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.