Deserialization Vulnerability in JsonPickleSerializer of run-llama's Library
CVE-2025-3108
5MEDIUM
What is CVE-2025-3108?
A deserialization vulnerability exists in the JsonPickleSerializer component of the run-llama/llama_index library, spanning versions v0.12.27 to v0.12.40. This flaw stems from an insecure fallback to Python's pickle module, which can execute arbitrary code upon processing untrusted data. Attackers can exploit this vulnerability by crafting malicious payloads that compromise system integrity. The absence of appropriate validation, design flaws, and a breach of established Python security guidelines contribute to this critical security risk. Remediation is strongly recommended to protect against potential remote code execution threats.
Affected Version(s)
run-llama/llama_index < unspecified