Finding F007: Unsafe Pickle Deserialization in Memory Bank

Severity: CRITICAL

Location

python/packages/autogen-ext/src/autogen_ext/experimental/task_centric_memory/_memory_bank.py (line 82) python/packages/autogen-ext/src/autogen_ext/experimental/task_centric_memory/_string_similarity_map.py (line 48)

Description

The MemoryBank and StringSimilarityMap classes use Python's pickle module for serialization/deserialization:

# _memory_bank.py line 82
with open(self.path_to_dict, "rb") as f:
    self.uid_memo_dict = pickle.load(f)  # VULNERABLE

# _string_similarity_map.py line 48
with open(path, "rb") as f:
    self.uid_text_dict = pickle.load(f)  # VULNERABLE

Pickle deserialization can execute arbitrary Python code when a malicious pickle file is loaded.

Attack Scenario

Attacker controls the pickle file (via path traversal, shared filesystem, etc.)
Pickle file contains malicious serialized object
When loaded, arbitrary code executes

Risk Assessment

Severity: CRITICAL
Impact: Arbitrary code execution
Likelihood: MEDIUM (requires file system access)

Existing Mitigations

None identified

Recommendations

Replace pickle with JSON or another safe serialization format
If pickle is required, use RestrictedUnpickler pattern
Add file integrity verification (HMAC signature)
Document the risk and warn users not to use untrusted paths

orenyomtov/F007_Pickle_Deserialization.md

Select an option

No results found