### Vulnerability Overview - **Vulnerability Name**: Unsafe Pickle Deserialization in FAISS Vector Store - **Vulnerability Type**: Remote Code Execution (RCE) - **Vulnerability Description**: In the `FAISS` vector store, the `_load()` method uses `pickle.load()` to deserialize the docstore file without any restrictions, allowing an attacker who can control the `.pkl` file to execute arbitrary code. ### Impact Scope - **Affected Component**: `FAISS` vector store - **Specific File**: `mem0/vector_stores/faiss.py` - **Exploitation Conditions**: Attacker must be able to control the `.pkl` file ### Remediation Plan - **Solution**: - Implement a `SafeUnpickler` class that only allows safe built-in types (e.g., `dict`, `list`, `str`, `int`, `float`, `bool`, `tuple`, `set`, `frozenset`, `NoneType`). - Migrate from `pickle` to `JSON` format for new saves (`JSON` cannot execute code). - Automatically migrate old `pickle` files to `JSON` on first load. - Perform structural validation on deserialized data. ### Code Block ```python class SafeUnpickler(pickle.Unpickler): def find_class(self, module, name): if module == "builtins" and name in {"dict", "list", "str", "int", "float", "bool", "tuple", "set", "frozenset", "NoneType"}: return getattr(__import__(module), name) raise pickle.UnpicklingError(f"Global '{module}.{name}' is forbidden") ``` ### Additional Information - **Vulnerability ID**: #4833 - **Fix Status**: Merged - **Test Coverage**: Added 15 new security tests covering `SafeUnpickler` (blocking `os.system`, `subprocess`, `eval`), secure `pickle` loading, structural validation, and end-to-end `FAISS` secure integration. Verified that malicious payloads do not execute.