CVE-2024-5998

Name: CVE-2024-5998
Creator: NVD / NIST
Published: 2024-09-17T12:15:02.977+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 0.36%

Last modified Jun 17, 2026

CVE-2024-5998 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. EPSS estimates a 0.36% chance of exploitation in the next 30 days.

Description

A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.36%

27.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-502

Affected Software

Vendor	Product	Versions
Langchain	Langchain	< 0.2.9

References

https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7Patch
https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28feExploit, Third Party Advisory

Timeline

Published: Sep 17, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-5998?

How severe is CVE-2024-5998?

CVE-2024-5998 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.36% probability of exploitation in the next 30 days.

How do I fix CVE-2024-5998?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-5998?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST