AI Threat Alert AI Threat Alert

CVE-2024-14021: llamaindex: Deserialization enables RCE

HIGH PoC AVAILABLE CISA: ATTEND
Published January 12, 2026
CISO Take

If your organization uses LlamaIndex with BGE-M3 embedding indices loaded from disk, you have a critical arbitrary code execution exposure. Any pipeline calling BGEM3Index.load_from_disk() from an untrusted or shared persist_dir is exploitable with a crafted pickle file — no special privileges required. Patch to a version above 0.11.6 immediately and audit all index-loading code paths for externally-influenced directory inputs.

Risk Assessment

High risk for organizations running RAG pipelines or agent frameworks built on LlamaIndex. CVSS 7.8 with low attack complexity means exploitation requires no AI expertise — crafting a malicious pickle file is a well-documented, trivial technique. The local attack vector limits remote opportunistic attacks, but shared storage (S3, NFS, mounted volumes) and developer workstation supply chain scenarios elevate real-world exposure to near-critical. No active CISA KEV listing reduces urgency marginally, but the RCE impact demands rapid response regardless.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llamaindex pip No patch
49.3K Pushed yesterday 0% patched Full package profile →

Do you use llamaindex? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 26% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

Recommended Action

1 step

  1. 1) Patch: Upgrade llamaindex to a version above 0.11.6 that resolves this issue; validate via changelog or commit history confirming the fix. 2) Audit: Grep all codebases for BGEM3Index.load_from_disk() calls and trace whether persist_dir originates from user input, environment variables, or external storage. 3) Workaround (if patching is delayed): Restrict persist_dir to trusted, immutable, access-controlled local paths; never load from network paths or user-supplied directories. 4) Detection: Alert on .pkl file writes to model/index directories from unexpected processes; monitor anomalous subprocess spawning from LlamaIndex worker processes. 5) Defense-in-depth: Run LlamaIndex workloads in sandboxed containers with restricted syscalls (seccomp) and no outbound network egress to contain blast radius if exploited.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework RAG AML.T0010.001 AML.T0011 AML.T0011.000 AML.T0018.002 AML.T0035 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - Information security for AI systems A.8.1 - AI system lifecycle A.8.2 - AI system security
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI third-party risk MANAGE 2.2 - Mechanisms are in place to address AI risks MANAGE-2.2 - Mechanisms for resolving AI risks are applied
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2024-14021?

If your organization uses LlamaIndex with BGE-M3 embedding indices loaded from disk, you have a critical arbitrary code execution exposure. Any pipeline calling BGEM3Index.load_from_disk() from an untrusted or shared persist_dir is exploitable with a crafted pickle file — no special privileges required. Patch to a version above 0.11.6 immediately and audit all index-loading code paths for externally-influenced directory inputs.

Is CVE-2024-14021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-14021, increasing the risk of exploitation.

How to fix CVE-2024-14021?

1) Patch: Upgrade llamaindex to a version above 0.11.6 that resolves this issue; validate via changelog or commit history confirming the fix. 2) Audit: Grep all codebases for BGEM3Index.load_from_disk() calls and trace whether persist_dir originates from user input, environment variables, or external storage. 3) Workaround (if patching is delayed): Restrict persist_dir to trusted, immutable, access-controlled local paths; never load from network paths or user-supplied directories. 4) Detection: Alert on .pkl file writes to model/index directories from unexpected processes; monitor anomalous subprocess spawning from LlamaIndex worker processes. 5) Defense-in-depth: Run LlamaIndex workloads in sandboxed containers with restricted syscalls (seccomp) and no outbound network egress to contain blast radius if exploited.

What systems are affected by CVE-2024-14021?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, model serving, training pipelines.

What is the CVSS score for CVE-2024-14021?

CVE-2024-14021 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.

Exploitation Scenario

An attacker targets a data science team using LlamaIndex with BGE-M3 for a RAG knowledge base whose embedding indices are stored in a shared S3 bucket accessible by multiple developers. The attacker either compromises the bucket via misconfigured IAM permissions or tricks a developer into loading a 'sample index' from a phishing link. The malicious persist_dir contains a crafted multi_embed_store.pkl embedding a Python reverse shell payload using pickle's __reduce__ protocol. When any developer runs their pipeline and calls BGEM3Index.load_from_disk(persist_dir='s3-mount/malicious-dir'), pickle.load() executes the payload — achieving RCE on the developer machine with immediate access to model weights, Anthropic/OpenAI API keys, cloud credentials, and lateral movement into internal systems.

Weaknesses (CWE)

CWE-502 Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
January 12, 2026
Last Modified
January 15, 2026
First Seen
January 12, 2026

Related Vulnerabilities

CRITICAL CVE-2024-23751 9.8

LlamaIndex: SQL injection in Text-to-SQL feature

Same package: llamaindex
HIGH CVE-2024-58339 7.5

llamaindex: Resource Exhaustion enables DoS

Same package: llamaindex
HIGH CVE-2024-12704 7.5

llama-index: DoS via infinite loop in LangChain LLM

Same package: llamaindex
HIGH CVE-2024-12911 7.1

llama-index: SQLi+DoS via prompt injection in query engine

Same package: llamaindex
UNKNOWN CVE-2024-4181

llama_index: RCE via eval() in RunGptLLM connector

Same package: llamaindex
Back to Threat Feed