CVE-2024-14021
Published: 12 January 2026
Summary
CVE-2024-14021 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing CVE-2024-14021 by applying patches that fix the unsafe deserialization in BGEM3Index.load_from_disk().
SI-10 mandates validation of information inputs, preventing arbitrary code execution by ensuring deserialized data from user-supplied persist_dir is safe and consistent with expected formats.
SI-7 enforces integrity verification of software and information, detecting and blocking malicious modifications in the multi_embed_store.pkl file before deserialization.
NVD Description
LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing…
more
a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.
Deeper analysisAI
CVE-2024-14021 is an unsafe deserialization vulnerability (CWE-502) in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6. The flaw exists in the BGEM3Index.load_from_disk() function within llama_index/indices/managed/bge_m3/base.py, which invokes pickle.load() to deserialize the multi_embed_store.pkl file from a user-supplied persist_dir without validation. This allows deserialization of untrusted data loaded directly from disk.
An attacker can exploit the vulnerability by supplying a crafted persist directory containing a malicious pickle file. A victim who subsequently calls load_from_disk() on this directory will trigger arbitrary code execution. Per the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), exploitation requires local access, low complexity, no privileges, and user interaction to load the index, but grants high confidentiality, integrity, and availability impact.
Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization), Huntr (https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12), the LlamaIndex GitHub repository (https://github.com/run-llama/llama_index), and the project site (https://www.llamaindex.ai/), provide further details on the issue and associated mitigations or patches. Security practitioners should consult these sources for remediation guidance.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llama