CVE-2025-3108: LlamaIndex Core RCE

CISO Take

Any LlamaIndex deployment using JsonPickleSerializer to load persisted indexes or cached data from untrusted sources is vulnerable to full remote code execution. The attack complexity is high (attacker must control the serialized input), but RAG pipelines and agent frameworks routinely ingest external data making this realistic. Upgrade to llama-index-core >= 0.12.41 immediately and audit all serialization/deserialization code paths.

What is the risk?

CVSS 5.0 understates operational risk for AI-heavy organizations. Pickle deserialization flaws are well-understood and reliable — any attacker who controls serialized data achieves arbitrary code execution with no further exploitation required. The high attack complexity (AC:H) reflects the requirement to deliver a malicious payload to the deserialization endpoint, but in RAG pipelines this is achievable by injecting a crafted document into an indexed data source. The 1.1% EPSS and absence from KEV suggest active exploitation is not yet observed, but the technique is trivial once the attack path is established.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LlamaIndex Core	pip	>= 0.11.15, <= 0.12.40	`0.12.41`
50.2K 1.2K dependents Pushed 3d ago 100% patched ~50d to patch Full package profile →

Do you use LlamaIndex Core? You're affected.

How severe is it?

CVSS 3.1

5.0 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI Required

S Unchanged

C Low

I Low

A Low

What should I do?

5 steps

PATCH

Upgrade llama-index-core to >= 0.12.41 immediately.
AUDIT

Search codebase for all instances of JsonPickleSerializer instantiation and any pickle.loads() calls in AI pipeline code.
WORKAROUND (if upgrade not possible): Ensure JsonPickleSerializer only processes data from fully trusted, integrity-verified sources — never from user-supplied or externally-fetched inputs.
DETECT

Review application logs for unexpected process spawning or outbound connections from AI pipeline worker processes. Monitor for pickle deserialization errors on unexpected data.
HARDEN

Enforce allow-listing of trusted serialization formats (JSON-only where possible). Consider running LlamaIndex workers in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit RCE blast radius.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework RAG Agent AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI System Supply Chain Management

NIST AI RMF

GOVERN-6.2 - Policies and procedures are in place to address AI risks and benefits arising from third-party entities

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-3108?

Any LlamaIndex deployment using JsonPickleSerializer to load persisted indexes or cached data from untrusted sources is vulnerable to full remote code execution. The attack complexity is high (attacker must control the serialized input), but RAG pipelines and agent frameworks routinely ingest external data making this realistic. Upgrade to llama-index-core >= 0.12.41 immediately and audit all serialization/deserialization code paths.

Is CVE-2025-3108 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3108, increasing the risk of exploitation.

How to fix CVE-2025-3108?

1. PATCH: Upgrade llama-index-core to >= 0.12.41 immediately. 2. AUDIT: Search codebase for all instances of JsonPickleSerializer instantiation and any pickle.loads() calls in AI pipeline code. 3. WORKAROUND (if upgrade not possible): Ensure JsonPickleSerializer only processes data from fully trusted, integrity-verified sources — never from user-supplied or externally-fetched inputs. 4. DETECT: Review application logs for unexpected process spawning or outbound connections from AI pipeline worker processes. Monitor for pickle deserialization errors on unexpected data. 5. HARDEN: Enforce allow-listing of trusted serialization formats (JSON-only where possible). Consider running LlamaIndex workers in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit RCE blast radius.

What systems are affected by CVE-2025-3108?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines, model serving, training pipelines.

What is the CVSS score for CVE-2025-3108?

CVE-2025-3108 has a CVSS v3.1 base score of 5.0 (MEDIUM). The EPSS exploitation probability is 0.42%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksdocument processing pipelinesmodel servingtraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.6.2

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Incomplete Documentation of Program Execution exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause involves the use of an insecure fallback strategy without sufficient input validation or protective safeguards. Version 0.12.41 renames JsonPickleSerializer to PickleSerializer and adds a warning to the docs to only use PickleSerializer to deserialize safe things.

Exploitation Scenario

An adversary targets a company running a LlamaIndex-powered RAG system that indexes documents from a shared repository or S3 bucket with write access. The attacker uploads a crafted document containing a malicious pickle payload disguised as a legitimate LlamaIndex index file. When the indexing pipeline processes this file and calls JsonPickleSerializer to deserialize it, pickle.loads() executes the embedded payload — spawning a reverse shell or downloading a second-stage implant. From the AI pipeline worker, the attacker pivots laterally to access the vector database, model weights, and potentially the entire cloud environment. The attack is especially dangerous in multi-tenant SaaS AI platforms where a single pipeline worker processes data from multiple customers.

Weaknesses (CWE)

CWE-1112 Incomplete Documentation of Program Execution Primary

CWE-1112 — Incomplete Documentation of Program Execution: The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.

Source: MITRE CWE corpus.