CVE-2025-3108
Published: 06 July 2025
Summary
CVE-2025-3108 is a high-severity Incomplete Documentation of Program Execution (CWE-1112) vulnerability in Llamaindex Llamaindex. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 17.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical deserialization vulnerability affects the JsonPickleSerializer component in the run-llama/llama_index library, specifically versions v0.12.27 through v0.12.40. The flaw arises from an insecure fallback to Python's pickle module, where the serializer prioritizes pickle.loads() without validation or safeguards, enabling arbitrary code execution on untrusted input and violating standard Python security practices.
Attackers with the ability to supply malicious serialized data can trigger remote code execution, achieving full system compromise. The reported CVSS 7.5 score reflects a network-accessible vector that requires user interaction and high attack complexity yet yields complete confidentiality, integrity, and availability impact.
A fix addressing the insecure deserialization path is referenced in the project commit at https://github.com/run-llama/llama_index/commit/702e4340623092fac4cf2fe95eb9465034856da3, with additional details available in the associated huntr report. The library's use in LLM indexing workflows makes the component relevant to AI/ML environments, though the EPSS score has remained low with only minor movement between its current value of 0.0161 and peak of 0.0195.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20156
Vulnerability details
A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary…
more
code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization vulnerability enables remote code execution (T1210) via crafted malicious payloads processed by the insecure fallback to Python's pickle.loads(), which executes arbitrary Python code (T1059.006).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.