EXECUTIVE SUMMARY:
CVE-2025-62373 with a CVSS score of 9.8 is a critical vulnerability in the pipecat-ai package with affected versions ranging from 0.0.41 to less than 0.0.94, which allows an attacker to achieve remote code execution (RCE) on a Pipecat server. The vulnerability arises from the use of Python's pickle.loads() on untrusted WebSocket client data in the deprecated LivekitFrameSerializer class, which is intended for LiveKit integration but not enabled by default. An attacker on the network or internet, if the service is exposed, can send a malicious pickle payload to execute arbitrary code on the Pipecat server, exploiting the vulnerability. The capability gained by the attacker is the ability to execute arbitrary code, which leads to a high business impact and consequences if exploited, including data breaches, unauthorized modifications, and potential system compromise. The prerequisites or conditions required for exploitation include a Pipecat server configured to use LivekitFrameSerializer and listening on an external interface, as well as a malicious WebSocket client capable of sending a crafted pickle payload.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2025-62373 with a CVSS score of 9.8 is a critical vulnerability in the pipecat-ai package with affected versions ranging from 0.0.41 to less than 0.0.94, which allows an attacker to achieve remote code execution (RCE) on a Pipecat server. The vulnerability arises from the use of Python's pickle.loads() on untrusted WebSocket client data in the deprecated LivekitFrameSerializer class, which is intended for LiveKit integration but not enabled by default. An attacker on the network or internet, if the service is exposed, can send a malicious pickle payload to execute arbitrary code on the Pipecat server, exploiting the vulnerability. The capability gained by the attacker is the ability to execute arbitrary code, which leads to a high business impact and consequences if exploited, including data breaches, unauthorized modifications, and potential system compromise. The prerequisites or conditions required for exploitation include a Pipecat server configured to use LivekitFrameSerializer and listening on an external interface, as well as a malicious WebSocket client capable of sending a crafted pickle payload.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update pipecat-ai to version 0.0.94.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c2jg-5cp7-6wc7