CVE-2024-5998

Name of the Vulnerable Software and Affected Versions: langchain-ai/langchain versions prior to 0.2.4

Description: A vulnerability in the FAISS.deserialize from bytes function allows for pickle deserialization of untrusted data, which can lead to the execution of arbitrary commands via the os.system function.

Recommendations: For versions prior to 0.2.4, update to version 0.2.4 or later to resolve the issue. As a temporary workaround, consider disabling the FAISS.deserialize from bytes function until a patch is available. Restrict access to untrusted data to minimize the risk of exploitation.