AI Threat Alert AI Threat Alert

CVE-2025-3108: llama-index: RCE via unsafe pickle deserialization

GHSA-m84c-4c34-28gf MEDIUM PoC AVAILABLE CISA: TRACK*
Published July 7, 2025
CISO Take

Any LlamaIndex deployment using JsonPickleSerializer to load persisted indexes or cached data from untrusted sources is vulnerable to full remote code execution. The attack complexity is high (attacker must control the serialized input), but RAG pipelines and agent frameworks routinely ingest external data making this realistic. Upgrade to llama-index-core >= 0.12.41 immediately and audit all serialization/deserialization code paths.

Risk Assessment

CVSS 5.0 understates operational risk for AI-heavy organizations. Pickle deserialization flaws are well-understood and reliable — any attacker who controls serialized data achieves arbitrary code execution with no further exploitation required. The high attack complexity (AC:H) reflects the requirement to deliver a malicious payload to the deserialization endpoint, but in RAG pipelines this is achievable by injecting a crafted document into an indexed data source. The 1.1% EPSS and absence from KEV suggest active exploitation is not yet observed, but the technique is trivial once the attack path is established.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llama-index-core pip >= 0.11.15, <= 0.12.40 0.12.41
49.1K 1.1K dependents Pushed 8d ago 100% patched ~50d to patch Full package profile →

Do you use llama-index-core? You're affected.

Severity & Risk

CVSS 3.1
5.0 / 10
EPSS
1.9%
chance of exploitation in 30 days
Higher than 84% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI Required
S Unchanged
C Low
I Low
A Low

Recommended Action

5 steps

  1. PATCH

    Upgrade llama-index-core to >= 0.12.41 immediately.

  2. AUDIT

    Search codebase for all instances of JsonPickleSerializer instantiation and any pickle.loads() calls in AI pipeline code.

  3. WORKAROUND (if upgrade not possible): Ensure JsonPickleSerializer only processes data from fully trusted, integrity-verified sources — never from user-supplied or externally-fetched inputs.

  4. DETECT

    Review application logs for unexpected process spawning or outbound connections from AI pipeline worker processes. Monitor for pickle deserialization errors on unexpected data.

  5. HARDEN

    Enforce allow-listing of trusted serialization formats (JSON-only where possible). Consider running LlamaIndex workers in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit RCE blast radius.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework RAG Agent AML.T0010.001 AML.T0011.000 AML.T0049 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI System Supply Chain Management
NIST AI RMF
GOVERN-6.2 - Policies and procedures are in place to address AI risks and benefits arising from third-party entities
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-3108?

Any LlamaIndex deployment using JsonPickleSerializer to load persisted indexes or cached data from untrusted sources is vulnerable to full remote code execution. The attack complexity is high (attacker must control the serialized input), but RAG pipelines and agent frameworks routinely ingest external data making this realistic. Upgrade to llama-index-core >= 0.12.41 immediately and audit all serialization/deserialization code paths.

Is CVE-2025-3108 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3108, increasing the risk of exploitation.

How to fix CVE-2025-3108?

1. PATCH: Upgrade llama-index-core to >= 0.12.41 immediately. 2. AUDIT: Search codebase for all instances of JsonPickleSerializer instantiation and any pickle.loads() calls in AI pipeline code. 3. WORKAROUND (if upgrade not possible): Ensure JsonPickleSerializer only processes data from fully trusted, integrity-verified sources — never from user-supplied or externally-fetched inputs. 4. DETECT: Review application logs for unexpected process spawning or outbound connections from AI pipeline worker processes. Monitor for pickle deserialization errors on unexpected data. 5. HARDEN: Enforce allow-listing of trusted serialization formats (JSON-only where possible). Consider running LlamaIndex workers in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit RCE blast radius.

What systems are affected by CVE-2025-3108?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines, model serving, training pipelines.

What is the CVSS score for CVE-2025-3108?

CVE-2025-3108 has a CVSS v3.1 base score of 5.0 (MEDIUM). The EPSS exploitation probability is 1.95%.

Technical Details

NVD Description

Incomplete Documentation of Program Execution exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause involves the use of an insecure fallback strategy without sufficient input validation or protective safeguards. Version 0.12.41 renames JsonPickleSerializer to PickleSerializer and adds a warning to the docs to only use PickleSerializer to deserialize safe things.

Exploitation Scenario

An adversary targets a company running a LlamaIndex-powered RAG system that indexes documents from a shared repository or S3 bucket with write access. The attacker uploads a crafted document containing a malicious pickle payload disguised as a legitimate LlamaIndex index file. When the indexing pipeline processes this file and calls JsonPickleSerializer to deserialize it, pickle.loads() executes the embedded payload — spawning a reverse shell or downloading a second-stage implant. From the AI pipeline worker, the attacker pivots laterally to access the vector database, model weights, and potentially the entire cloud environment. The attack is especially dangerous in multi-tenant SaaS AI platforms where a single pipeline worker processes data from multiple customers.

Weaknesses (CWE)

CWE-1112 Incomplete Documentation of Program Execution Primary

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

References

Timeline

Published
July 7, 2025
Last Modified
July 7, 2025
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2025-5302 8.6

llama-index: JSON parsing DoS via deep recursion

Same package: llama-index-core
HIGH CVE-2025-6209 7.5

llama_index: path traversal allows arbitrary file read

Same package: llama-index-core
HIGH CVE-2024-12704 7.5

llama-index: DoS via infinite loop in LangChain LLM

Same package: llama-index-core
HIGH CVE-2025-7647 7.3

llama-index-core: insecure /tmp dir, model theft risk

Same package: llama-index-core
MEDIUM CVE-2025-5472 6.5

llama-index: JSONReader DoS via recursive JSON parsing

Same package: llama-index-core
Back to Threat Feed