Cyber Resilience

CVE-2024-14021

HighPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-14021 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-14021 is an unsafe deserialization vulnerability (CWE-502) in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6. The flaw exists in the BGEM3Index.load_from_disk() function within llama_index/indices/managed/bge_m3/base.py, which invokes pickle.load() to deserialize the multi_embed_store.pkl file from a user-supplied persist_dir without validation. This allows deserialization of untrusted data loaded directly from disk.

An attacker can exploit the vulnerability by supplying a crafted persist directory containing a malicious pickle file. A victim who subsequently calls load_from_disk() on this directory will trigger arbitrary code execution. Per the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), exploitation requires local access, low complexity, no privileges, and user interaction to load the index, but grants high confidentiality, integrity, and availability impact.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization), Huntr (https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12), the LlamaIndex GitHub repository (https://github.com/run-llama/llama_index), and the project site (https://www.llamaindex.ai/), provide further details on the issue and associated mitigations or patches. Security practitioners should consult these sources for remediation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing…

more

a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llamaindex

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe pickle deserialization in load_from_disk() directly enables arbitrary Python code execution when a victim loads a malicious local file (crafted persist_dir).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-58339Same product: Llamaindex Llamaindex
CVE-2024-12909Same product: Llamaindex Llamaindex
CVE-2026-31250Shared CWE-502
CVE-2026-31219Shared CWE-502
CVE-2026-31221Shared CWE-502
CVE-2026-7584Shared CWE-502
CVE-2026-31214Shared CWE-502
CVE-2026-24150Shared CWE-502
CVE-2026-24165Shared CWE-502
CVE-2026-22612Shared CWE-502

Affected Assets

llamaindex
llamaindex
≤ 0.11.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing CVE-2024-14021 by applying patches that fix the unsafe deserialization in BGEM3Index.load_from_disk().

prevent

SI-10 mandates validation of information inputs, preventing arbitrary code execution by ensuring deserialized data from user-supplied persist_dir is safe and consistent with expected formats.

prevent

SI-7 enforces integrity verification of software and information, detecting and blocking malicious modifications in the multi_embed_store.pkl file before deserialization.

References