Skip to main content
CVE Vulnerability Database

CVE-2025-3108: Llamaindex Deserialization RCE Vulnerability

CVE-2025-3108 is a critical deserialization RCE flaw in Llamaindex's JsonPickleSerializer that enables remote code execution through insecure pickle handling. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-3108 Overview

A critical insecure deserialization vulnerability has been identified in the run-llama/llama_index library's JsonPickleSerializer component. This vulnerability affects versions v0.12.27 through v0.12.40 and enables remote code execution due to an insecure fallback mechanism to Python's pickle module. The JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data, allowing attackers to craft malicious payloads to achieve full system compromise.

Critical Impact

Remote code execution via insecure deserialization in LlamaIndex's JsonPickleSerializer component allows attackers to achieve full system compromise through crafted malicious payloads.

Affected Products

  • LlamaIndex versions v0.12.27 through v0.12.40
  • Applications using JsonPickleSerializer for data deserialization
  • AI/ML pipelines integrating vulnerable LlamaIndex versions

Discovery Timeline

  • July 6, 2025 - CVE-2025-3108 published to NVD
  • July 30, 2025 - Last updated in NVD database

Technical Details for CVE-2025-3108

Vulnerability Analysis

This vulnerability represents a classic insecure deserialization flaw in Python applications. The JsonPickleSerializer class in LlamaIndex's workflow context serializers module implements a fallback mechanism that prioritizes the use of Python's native pickle module for deserialization. Python's pickle module is inherently unsafe for deserializing untrusted data because it can execute arbitrary Python code during the unpickling process. When the serializer receives data that cannot be parsed as JSON, it falls back to pickle.loads(), creating an attack surface for remote code execution.

The root cause of this vulnerability stems from several design flaws: an insecure fallback mechanism that defaults to pickle deserialization, lack of validation or safeguards against malicious serialized data, misleading design that obscures the security implications, and violation of Python security guidelines which explicitly warn against unpickling untrusted data.

Root Cause

The vulnerability exists in the JsonPickleSerializer class within the llama_index/core/workflow/context_serializers.py file. The implementation prioritizes deserialization using pickle.loads() without proper validation or sandboxing. This design violates Python's security guidelines, which explicitly state that the pickle module is not secure against erroneous or maliciously constructed data. The lack of input validation before deserialization allows attackers to inject arbitrary Python objects that execute code during the unpickling process.

Attack Vector

An attacker can exploit this vulnerability by submitting a crafted malicious payload to any endpoint or function that processes data through the JsonPickleSerializer. The attack requires network access and user interaction, but no prior authentication or privileges. Once the malicious serialized payload is processed by the vulnerable deserialization routine, arbitrary code executes with the privileges of the application, potentially leading to complete system compromise.

The following patch shows how the vulnerability was addressed by renaming the class to PickleSerializer to make the security implications explicit:

python
         return self._deserialize_value(data)
 
 
-class JsonPickleSerializer(JsonSerializer):
+class PickleSerializer(JsonSerializer):
     def serialize(self, value: Any) -> str:
         """Serialize while prioritizing JSON, falling back to Pickle."""
         try:

Source: GitHub Commit Details

Detection Methods for CVE-2025-3108

Indicators of Compromise

  • Unusual process spawning from Python applications using LlamaIndex
  • Unexpected network connections initiated by AI/ML pipeline processes
  • Anomalous file system operations following data deserialization events
  • Process execution chains indicating code injection via pickle payloads

Detection Strategies

  • Monitor for imports and usage of JsonPickleSerializer in application codebases
  • Implement application logging around deserialization operations to capture suspicious payloads
  • Deploy runtime application security testing (RASP) to detect pickle-based exploitation attempts
  • Use static analysis tools to identify vulnerable LlamaIndex versions in dependency trees

Monitoring Recommendations

  • Enable detailed logging for all serialization/deserialization operations in LlamaIndex workflows
  • Monitor process behavior for signs of arbitrary code execution following data processing
  • Implement alerting on dependency version checks for LlamaIndex packages
  • Track network egress from applications using vulnerable components for potential reverse shell connections

How to Mitigate CVE-2025-3108

Immediate Actions Required

  • Upgrade LlamaIndex to version v0.12.41 or later immediately
  • Audit application code for usage of JsonPickleSerializer and replace with safer alternatives
  • Implement input validation and sanitization before any deserialization operations
  • Consider using JSON-only serialization where pickle functionality is not required

Patch Information

The vulnerability has been addressed in the official GitHub commit. The fix includes renaming JsonPickleSerializer to PickleSerializer to make the security implications explicit in the naming, along with adding documentation warnings about the risks of deserializing untrusted data. Organizations should upgrade to the patched version and review the Huntr Bug Bounty Report for additional technical details.

Workarounds

  • Avoid using JsonPickleSerializer (now PickleSerializer) for processing untrusted input
  • Implement strict input validation to reject pickle-format data from external sources
  • Use alternative serialization formats such as JSON-only serializers that do not support pickle fallback
  • Deploy network segmentation to limit the impact of potential exploitation
bash
# Check your LlamaIndex version and upgrade if vulnerable
pip show llama-index | grep Version
pip install --upgrade llama-index>=0.12.41

# Audit codebase for vulnerable serializer usage
grep -r "JsonPickleSerializer" --include="*.py" .

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.