{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pipecat/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-62373"}],"_cs_exploited":false,"_cs_products":["pipecat-ai"],"_cs_severities":["critical"],"_cs_tags":["remote code execution","deserialization","pipecat"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2025-62373) exists in Pipecat\u0026rsquo;s \u003ccode\u003eLivekitFrameSerializer\u003c/code\u003e, an optional, non-default, and now deprecated frame serializer class intended for LiveKit integration. The \u003ccode\u003edeserialize()\u003c/code\u003e method in \u003ccode\u003esrc/pipecat/serializers/livekit.py\u003c/code\u003e uses Python\u0026rsquo;s \u003ccode\u003epickle.loads()\u003c/code\u003e on data received from WebSocket clients without validation or sanitization. This allows a malicious WebSocket client to send a crafted pickle payload to execute arbitrary code on the Pipecat server. While \u003ccode\u003eLivekitFrameSerializer\u003c/code\u003e is not enabled by default and was deprecated in version 0.0.90 in favor of the safer \u003ccode\u003eLiveKitTransport\u003c/code\u003e method, it remains in the codebase and could be inadvertently used, posing a severe risk if a Pipecat server is configured to use it and is listening on an external interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Pipecat server with an exposed WebSocket endpoint (e.g., listening on 0.0.0.0:8765) using the vulnerable \u003ccode\u003eLivekitFrameSerializer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Python pickle payload. This payload contains instructions to execute arbitrary code on the server, using techniques like defining a class with a \u003ccode\u003e__reduce__\u003c/code\u003e method that calls \u003ccode\u003eos.system()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a WebSocket connection to the Pipecat server.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted pickle payload as a WebSocket message to the server.\u003c/li\u003e\n\u003cli\u003eThe Pipecat server receives the message and passes the data to the \u003ccode\u003eLivekitFrameSerializer.deserialize()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeserialize()\u003c/code\u003e method calls \u003ccode\u003epickle.loads()\u003c/code\u003e on the attacker-controlled data without proper validation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epickle.loads()\u003c/code\u003e deserializes the malicious pickle object, triggering the execution of the attacker\u0026rsquo;s code on the server with the privileges of the Pipecat process.\u003c/li\u003e\n\u003cli\u003eAttacker achieves remote code execution, potentially leading to full compromise of the server, including data exfiltration, malware installation, or pivoting to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability, CVE-2025-62373, allows an attacker to achieve remote code execution on the Pipecat server. If an application uses \u003ccode\u003eLivekitFrameSerializer\u003c/code\u003e and exposes the Pipecat WebSocket server to untrusted networks, an attacker can completely compromise the server. This could lead to the execution of operating system commands, data modification, malware installation, or pivoting to other systems. The vulnerability is critical because any code execution flaw in a real-time communications server context poses a high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately stop using the \u003ccode\u003eLivekitFrameSerializer\u003c/code\u003e due to its use of unsafe pickle deserialization. Migrate to the recommended \u003ccode\u003eLiveKitTransport\u003c/code\u003e or other secure methods provided by the Pipecat framework (see Overview).\u003c/li\u003e\n\u003cli\u003eUpdate Pipecat to a version \u0026gt;= 0.0.94 to receive the deprecation warning.\u003c/li\u003e\n\u003cli\u003eIf you must support LiveKit integration or binary frame serialization, use safer alternatives like JSON, Protocol Buffers, or MessagePack.\u003c/li\u003e\n\u003cli\u003eBind the Pipecat service to localhost (127.0.0.1) whenever possible to prevent external network access as mentioned in the Overview.\u003c/li\u003e\n\u003cli\u003eImplement authentication and authorization on the WebSocket connection to restrict who can send data to the server, as described in the Mitigation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-pipecat-rce/","summary":"A critical vulnerability, CVE-2025-62373, exists in Pipecat's LivekitFrameSerializer where the deserialize() method uses Python's pickle.loads() on WebSocket data without validation, allowing a malicious WebSocket client to execute arbitrary code on the Pipecat server if LivekitFrameSerializer is explicitly enabled.","title":"Pipecat Remote Code Execution via Pickle Deserialization in LivekitFrameSerializer","url":"https://feed.craftedsignal.io/briefs/2024-01-pipecat-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Pipecat","version":"https://jsonfeed.org/version/1.1"}