A critical has been disclosed in Pipecat, the popular open-source Python framework used to build voice and conversational agents. The flaw, designated as CVE-2025-62373, carries a devastating CVSS score of 9.8, warning of a high-risk entry point for Remote Code Execution (RCE).
The issue lies in a deprecated and undocumented component—the LivekitFrameSerializer—and serves as a stark reminder of the dangers of unsafe data deserialization in network-facing applications.
At the heart of the vulnerability is Python’s pickle module, a powerful but notoriously insecure way to serialize and deserialize data. The LivekitFrameSerializer was designed to convert audio frames for LiveKit integration. However, its deserialize() method was found to blindly pass untrusted data from WebSocket clients directly into pickle.loads() without any validation.
As the technical summary explains, “The class’s deserialize() method uses Python’s pickle.loads() on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server”.
Because pickle can instantiate any Python object and execute code during the process, an attacker can craft a malicious binary object that, once “unpickled,” grants them full control over the host system with the privileges of the Pipecat service.
While the LivekitFrameSerializer is not enabled by default, any developer who has explicitly opted into using it for LiveKit support is at extreme risk.
An attacker on the same network—or the open internet, if the service is exposed—can achieve full RCE with just a single malicious message. This would allow them to:
- Execute arbitrary operating system commands.
- Install malware or ransomware.
- Pivot to other sensitive systems within the organization’s network.
The Pipecat maintainers have officially addressed the in version 0.0.94. The vulnerable class has been deprecated in favor of the much safer LiveKit Transport method.
Immediate Recommendations for Developers:
Upgrade Immediately: Transition to Pipecat version 0.0.94 or later to fully remediate the risk.
- Eliminate Unsafe Deserialization: Stop using the LivekitFrameSerializer entirely.
- Adopt Secure Formats: Use standardized formats like JSON, Protocol Buffers, or MessagePack, which do not execute code upon parsing.
- Network Hardening: Bind services to localhost (127.0.0.1) whenever possible and enforce robust authentication and authorization on all WebSocket connections.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
