[Security] Code Execution via unsafe deserialization

[edoardottt]

Summary

An Unsafe Deserialization via pickle.load() in mem0 allows Remote Command Execution on the server host.

Details

The vulnerability is caused by the usage of vulnerable function of pickle serialization library (faiss.py#L94).

import pickle
# ...
    def _load(self, index_path: str, docstore_path: str):
        """
        Load FAISS index and docstore from disk.

        Args:
            index_path (str): Path to FAISS index file.
            docstore_path (str): Path to docstore pickle file.
        """
        try:
            self.index = faiss.read_index(index_path)
            with open(docstore_path, "rb") as f:
                self.docstore, self.index_to_id = pickle.load(f)
            logger.info(f"Loaded FAISS index from {index_path} with {self.index.ntotal} vectors")
        except Exception as e:
            logger.warning(f"Failed to load FAISS index: {e}")

            self.docstore = {}
            self.index_to_id = {}

PoC

For a simple proof of concept we're using the bytes representation of pickled object below:

class Evil:
    def __reduce__(self):
        return (os.system, ("touch pwned",))

that is: \x80\x04\x95+\x00\x00\x00\x00\x00\x00\x00\x8c\x05posix\x94\x8c\x06system\x94\x93\x94\x8c\x10touch pwned\x94\x85\x94R\x94..

Using this payload as content of the FAISS pickled file, an attacker can execute any arbitrary system command.

Impact

Usually if attackers can control the FAISS index file, they can poison or manipulate search results by injecting malicious vectors that distort nearest-neighbor retrieval.
In this case, attackers can run arbitrary system commands without any restriction (e.g. they could use a reverse shell and gain access to the server).
The impact is high as the attacker can completely takeover the server host.

References

• https://docs.python.org/3/library/pickle.html

Credits

Edoardo Ottavianelli (@edoardottt)

[rakheesingh]

Hi @kartik-mem0, I'd like to work on fixing this vulnerability. Before I submit a PR, wanted to align on the approach:

Proposed fix:

Replace pickle.load()/pickle.dump() in mem0/vector_stores/faiss.py with json serialization for the docstore and index_to_id mapping. Both are simple Python dicts (string keys, basic values), so JSON handles them natively without any security risk.

Changes:

• _save(): Replace pickle.dump() with json.dump()
• _load(): Replace pickle.load() with json.load()
• Add a backward-compatibility fallback: if loading JSON fails, attempt pickle.load() with a logged deprecation warning so existing users aren't broken immediately

Migration path:

• New saves always use JSON
• Old pickle files are loaded once (with warning) and re-saved as JSON on next write
• Optionally, add a utility function to explicitly migrate existing pickle files

Would you prefer this approach, or would you rather remove FAISS support entirely / use a different strategy? Happy to adjust based on your preference.

[cook35675-glitch]

Hi @kartik-mem0, I plan to replace pickle with JSON for the docstore and index-to-id mapping in faiss.py. Plan: Replace pickle.dump()/pickle.load() with json.dump()/json.load(). Add a fallback to pickle.load() with a warning for old files. Does this approach look good, or do you prefer another strategy?

…

On Fri, Apr 3, 2026, 10:28 AM Rakhee Singh ***@***.***> wrote: *rakheesingh* left a comment (mem0ai/mem0#3778) <#3778 (comment)> Hi @kartik-mem0 <https://github.com/kartik-mem0>, I'd like to work on fixing this vulnerability. Before I submit a PR, wanted to align on the approach: *Proposed fix:* Replace pickle.load()/pickle.dump() in mem0/vector_stores/faiss.py with json serialization for the docstore and index_to_id mapping. Both are simple Python dicts (string keys, basic values), so JSON handles them natively without any security risk. *Changes:* - _save(): Replace pickle.dump() with json.dump() - _load(): Replace pickle.load() with json.load() - Add a backward-compatibility fallback: if loading JSON fails, attempt pickle.load() with a logged deprecation warning so existing users aren't broken immediately *Migration path:* - New saves always use JSON - Old pickle files are loaded once (with warning) and re-saved as JSON on next write - Optionally, add a utility function to explicitly migrate existing pickle files Would you prefer this approach, or would you rather remove FAISS support entirely / use a different strategy? Happy to adjust based on your preference. — Reply to this email directly, view it on GitHub <#3778?email_source=notifications&email_token=B7F3Z3YJNKM2TYSSONNVMKL4T7C7NA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJYGM3TANRYGQ22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4183706845>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/B7F3Z37GHUV45EEYL7NPCVT4T7C7NAVCNFSM6AAAAACMVUPBMGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCOBTG4YDMOBUGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[edoardottt]

This vulnerability is publicly tracked as CVE-2026-7597.