CVE-2024-14021: LlamaIndex Deserialization enables

CISO Take

If your organization uses LlamaIndex with BGE-M3 embedding indices loaded from disk, you have a critical arbitrary code execution exposure. Any pipeline calling BGEM3Index.load_from_disk() from an untrusted or shared persist_dir is exploitable with a crafted pickle file — no special privileges required. Patch to a version above 0.11.6 immediately and audit all index-loading code paths for externally-influenced directory inputs.

What is the risk?

High risk for organizations running RAG pipelines or agent frameworks built on LlamaIndex. CVSS 7.8 with low attack complexity means exploitation requires no AI expertise — crafting a malicious pickle file is a well-documented, trivial technique. The local attack vector limits remote opportunistic attacks, but shared storage (S3, NFS, mounted volumes) and developer workstation supply chain scenarios elevate real-world exposure to near-critical. No active CISA KEV listing reduces urgency marginally, but the RCE impact demands rapid response regardless.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex	pip	—	No patch
50.2K Pushed 4d ago 0% patched Full package profile →

Do you use LlamaIndex? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Patch: Upgrade llamaindex to a version above 0.11.6 that resolves this issue; validate via changelog or commit history confirming the fix. 2) Audit: Grep all codebases for BGEM3Index.load_from_disk() calls and trace whether persist_dir originates from user input, environment variables, or external storage. 3) Workaround (if patching is delayed): Restrict persist_dir to trusted, immutable, access-controlled local paths; never load from network paths or user-supplied directories. 4) Detection: Alert on .pkl file writes to model/index directories from unexpected processes; monitor anomalous subprocess spawning from LlamaIndex worker processes. 5) Defense-in-depth: Run LlamaIndex workloads in sandboxed containers with restricted syscalls (seccomp) and no outbound network egress to contain blast radius if exploited.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework RAG AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - Information security for AI systems A.8.1 - AI system lifecycle A.8.2 - AI system security

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI third-party risk MANAGE 2.2 - Mechanisms are in place to address AI risks MANAGE-2.2 - Mechanisms for resolving AI risks are applied

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2024-14021?

If your organization uses LlamaIndex with BGE-M3 embedding indices loaded from disk, you have a critical arbitrary code execution exposure. Any pipeline calling BGEM3Index.load_from_disk() from an untrusted or shared persist_dir is exploitable with a crafted pickle file — no special privileges required. Patch to a version above 0.11.6 immediately and audit all index-loading code paths for externally-influenced directory inputs.

Is CVE-2024-14021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-14021, increasing the risk of exploitation.

How to fix CVE-2024-14021?

1) Patch: Upgrade llamaindex to a version above 0.11.6 that resolves this issue; validate via changelog or commit history confirming the fix. 2) Audit: Grep all codebases for BGEM3Index.load_from_disk() calls and trace whether persist_dir originates from user input, environment variables, or external storage. 3) Workaround (if patching is delayed): Restrict persist_dir to trusted, immutable, access-controlled local paths; never load from network paths or user-supplied directories. 4) Detection: Alert on .pkl file writes to model/index directories from unexpected processes; monitor anomalous subprocess spawning from LlamaIndex worker processes. 5) Defense-in-depth: Run LlamaIndex workloads in sandboxed containers with restricted syscalls (seccomp) and no outbound network egress to contain blast radius if exploited.

What systems are affected by CVE-2024-14021?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, model serving, training pipelines.

What is the CVSS score for CVE-2024-14021?

CVE-2024-14021 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksmodel servingtraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15, Article 15

ISO 42001: A.10.1, A.8.1, A.8.2

NIST AI RMF: GOVERN-6.1, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM03, LLM05, LLM08

What are the technical details?

Original Advisory

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.

Exploitation Scenario

An attacker targets a data science team using LlamaIndex with BGE-M3 for a RAG knowledge base whose embedding indices are stored in a shared S3 bucket accessible by multiple developers. The attacker either compromises the bucket via misconfigured IAM permissions or tricks a developer into loading a 'sample index' from a phishing link. The malicious persist_dir contains a crafted multi_embed_store.pkl embedding a Python reverse shell payload using pickle's __reduce__ protocol. When any developer runs their pipeline and calls BGEM3Index.load_from_disk(persist_dir='s3-mount/malicious-dir'), pickle.load() executes the payload — achieving RCE on the developer machine with immediate access to model weights, Anthropic/OpenAI API keys, cloud credentials, and lateral movement into internal systems.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.