Unsafe Deserialization in JsonPickleSerializer Enables Remote Code Execution in run-llama/llama_index
Description
A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-3108: Critical deserialization vulnerability in llama_index's JsonPickleSerializer allows RCE via insecure pickle fallback, affecting versions v0.12.27-v0.12.40.
Vulnerability
Description
The JsonPickleSerializer component in the run-llama/llama_index library contains a critical deserialization vulnerability (CVE-2025-3108) that allows remote code execution (RCE) [1]. The serializer falls back to Python's pickle module for deserialization, using pickle.loads() without adequate validation. This violates Python security guidelines and enables arbitrary code execution when processing untrusted data [1]. The root cause includes an insecure fallback mechanism, lack of safeguards, and misleading design [1].
Exploitation
Attackers can exploit this vulnerability by crafting malicious serialized payloads that, when deserialized by JsonPickleSerializer, execute arbitrary code. No authentication is required for exploitation, though network access to an application using the vulnerable library may be necessary. The vulnerability exists in versions v0.12.27 through v0.12.40 [1][3]. The library is commonly used in AI and data processing pipelines, increasing the potential attack surface [2].
Impact
Successful exploitation leads to full system compromise, including arbitrary code execution, data exfiltration, and potential lateral movement within the network. Given the critical severity (CVSS score pending but noted as critical in descriptions), this vulnerability poses a significant risk to affected deployments [1].
Mitigation
The vulnerability has been patched in version v0.12.41 of llama_index core, as noted in the project's changelog [3]. The fix renames the class to PickleSerializer and adds a docstring warning users to only deserialize objects they deem safe [4]. Users are strongly advised to update to v0.12.41 or later immediately. For those unable to upgrade, avoiding untrusted data with JsonPickleSerializer is recommended until migration is possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llama-index-corePyPI | >= 0.11.15, < 0.12.41 | 0.12.41 |
Affected products
2- Range: >= v0.12.27 <= v0.12.40
- run-llama/run-llama/llama_indexv5Range: unspecified
Patches
1702e43406230Adding warning in the docstring of JsonPickleSerializer for the user to deserialize only safe things (#18943)
2 files changed · +12 −5
llama-index-core/llama_index/core/workflow/context_serializers.py+9 −2 modified@@ -64,7 +64,7 @@ def deserialize(self, value: str) -> Any: return self._deserialize_value(data) -class JsonPickleSerializer(JsonSerializer): +class PickleSerializer(JsonSerializer): def serialize(self, value: Any) -> str: """Serialize while prioritizing JSON, falling back to Pickle.""" try: @@ -73,8 +73,15 @@ def serialize(self, value: Any) -> str: return base64.b64encode(pickle.dumps(value)).decode("utf-8") def deserialize(self, value: str) -> Any: - """Deserialize while prioritizing Pickle, falling back to JSON.""" + """ + Deserialize while prioritizing Pickle, falling back to JSON. + To avoid malicious exploits of the deserialization, deserialize objects + only when you deem it safe to do so. + """ try: return pickle.loads(base64.b64decode(value)) except Exception: return super().deserialize(value) + + +JsonPickleSerializer = PickleSerializer
llama-index-core/tests/workflow/test_workflow.py+3 −3 modified@@ -8,7 +8,7 @@ import pytest from llama_index.core import MockEmbedding from llama_index.core.llms.mock import MockLLM -from llama_index.core.workflow.context_serializers import JsonPickleSerializer +from llama_index.core.workflow.context_serializers import PickleSerializer from llama_index.core.workflow.decorators import step from llama_index.core.workflow.events import ( Event, @@ -534,9 +534,9 @@ async def step(self, ctx: Context, ev: StartEvent) -> StopEvent: state_dict = handler.ctx.to_dict() # if we allow pickle, then we can pickle the LLM/embedding object - state_dict = handler.ctx.to_dict(serializer=JsonPickleSerializer()) + state_dict = handler.ctx.to_dict(serializer=PickleSerializer()) new_handler = WorkflowHandler( - ctx=Context.from_dict(wf, state_dict, serializer=JsonPickleSerializer()) + ctx=Context.from_dict(wf, state_dict, serializer=PickleSerializer()) ) assert new_handler.ctx
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m84c-4c34-28gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3108ghsaADVISORY
- github.com/run-llama/llama_index/blob/v0.12.41/CHANGELOG.mdghsaWEB
- github.com/run-llama/llama_index/commit/702e4340623092fac4cf2fe95eb9465034856da3ghsaWEB
- huntr.com/bounties/9b55a5e8-74e6-4241-b323-e360dc8b110aghsaWEB
News mentions
0No linked articles in our index yet.