External risk intelligence

Pipecat server code execution risk due to unsafe data handling.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-62373

An external attacker can exploit a flaw in Pipecat to gain full administrative control over the server. This access allows them to run unauthorized commands, potentially resulting in data theft and total system compromise.

2Halo Surface Signal

Deserialization

Pipecat

0.0.41 to before 0.0.94

External exposure likelihood

Halo Surface Signal score for CVE-2025-62373

The vulnerability exists in an optional, non-default, and undocumented component. Exploitation requires specific, non-standard configuration to be active. While the underlying application may be network-accessible, this specific vulnerable code path is not exposed by default, making public internet exposure in this specific configuration uncommon.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Pipecat Python framework allows for arbitrary code execution on a server. This occurs when an optional, undocumented component is used to deserialize data from WebSocket clients without proper validation. If your Pipecat server is exposed to the network and configured to use this specific component, it could be compromised.

  • Attackers can run code on your server.
  • Affects specific Pipecat configurations.
  • Security risk if exposed externally.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this flaw by sending a crafted pickle payload over a WebSocket connection to a vulnerable Pipecat server. This can lead to arbitrary code execution on the server if the attacker can reach a Pipecat instance configured to use the deprecated `LivekitFrameSerializer`.

  • Network access required.
  • Targets `LivekitFrameSerializer`.
  • Exploitation requires specific configuration.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely find this vulnerability unappealing due to its niche implementation. Exploitation requires a specific, optional component to be actively used and configured in a particular way, which is not a default setup. This significantly reduces the attack surface compared to vulnerabilities in core, widely used features.

  • Vulnerable code is optional.
  • Not a default configuration.
  • Fix is available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate removal or disabling of the `LivekitFrameSerializer` if it is in use, as it allows for remote code execution via unvalidated pickle deserialization. If you cannot immediately remove it, isolate affected Pipecat services to prevent network access and investigate all instances using this serializer.

  • Upgrade Pipecat to version 0.0.94.
  • Disable `LivekitFrameSerializer` if not essential.
  • Block untrusted WebSocket traffic.

Frequently asked questions

What is Pipecat and what is it used for?

Pipecat is an open-source Python framework designed for building real-time voice and multimodal conversational agents. It provides the tools and structure for developers to create interactive AI applications that can understand and respond using both voice and other forms of data.

What is the weakness in Pipecat CVE-2025-62373?

CVE-2025-62373 is related to a deserialization vulnerability, specifically CWE-502. The `LivekitFrameSerializer` class in Pipecat incorrectly uses Python's `pickle.loads()` function on data from WebSocket clients without checking it first. This allows a malicious client to send specially crafted data that can execute arbitrary code on the server.

How can an attacker exploit this Pipecat vulnerability?

An attacker can exploit this vulnerability by sending a malicious pickle payload through a WebSocket connection to a Pipecat server. This attack is only possible if the server is configured to use the `LivekitFrameSerializer`, which is an optional and undocumented component, and if the attacker has network access to the server.

Who should care about this Pipecat vulnerability (CVE-2025-62373)?

Anyone running a Pipecat server that is accessible over a network, especially those using the deprecated `LivekitFrameSerializer`, should care. This includes Pipecat instances that are internet-facing, as they present a higher risk of external attackers reaching the vulnerable component.

What is the first step to respond to this Pipecat threat?

The most effective first step is to stop using the `LivekitFrameSerializer` if it is currently configured. If you require LiveKit functionality, upgrade Pipecat to version 0.0.94 or later and switch to a more secure method like `LiveKitTransport`.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified