Cyber Resilience

CVE-2025-3108

HighPublic PoC

Published: 06 July 2025

Published
06 July 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0161 82.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3108 is a high-severity Incomplete Documentation of Program Execution (CWE-1112) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 17.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical deserialization vulnerability affects the JsonPickleSerializer component in the run-llama/llama_index library, specifically versions v0.12.27 through v0.12.40. The flaw arises from an insecure fallback to Python's pickle module, where the serializer prioritizes pickle.loads() without validation or safeguards, enabling arbitrary code execution on untrusted input and violating standard Python security practices.

Attackers with the ability to supply malicious serialized data can trigger remote code execution, achieving full system compromise. The reported CVSS 7.5 score reflects a network-accessible vector that requires user interaction and high attack complexity yet yields complete confidentiality, integrity, and availability impact.

A fix addressing the insecure deserialization path is referenced in the project commit at https://github.com/run-llama/llama_index/commit/702e4340623092fac4cf2fe95eb9465034856da3, with additional details available in the associated huntr report. The library's use in LLM indexing workflows makes the component relevant to AI/ML environments, though the EPSS score has remained low with only minor movement between its current value of 0.0161 and peak of 0.0195.

EU & UK References

Vulnerability details

A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary…

more

code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The deserialization vulnerability enables remote code execution (T1210) via crafted malicious payloads processed by the insecure fallback to Python's pickle.loads(), which executes arbitrary Python code (T1059.006).

Affected Assets

llamaindex
llamaindex
0.12.27 — 0.12.41

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References