CVE-2025-3108

Advisory

Affected versions of the LlamaIndex package are vulnerable to Remote Code Execution (RCE) through insecure deserialization. The `JsonPickleSerializer` class uses Python's `pickle.loads()` function without proper validation, which can execute arbitrary code when processing untrusted data.

The deserialize method attempts to deserialize data by applying `pickle.loads()` on base64-decoded input, allowing attackers to craft malicious payloads that execute arbitrary commands upon deserialization. A remote attacker can exploit this vulnerability by submitting specially crafted serialized objects, resulting in full system compromise.

The vulnerability was partially addressed by renaming the class to `PickleSerializer` and adding a prominent warning in the docstring advising users to only deserialize trusted data. However, the underlying insecure `pickle.loads()` functionality remains unchanged.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/run-llama/llama_index/commit/702e4340623092fac4cf2fe95eb9465034856da3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3108