Pipecat unauthenticated RCE via pickle (CVE-2025-62373)

Patch now - CVE-2025-62373 is a critical remote code execution vulnerability in Pipecat versions 0.0.41 through 0.0.93 that grants unauthenticated attackers full server compromise via malicious WebSocket payloads. Upgrade to version 0.0.94 or immediately remove the deprecated LivekitFrameSerializer to block exploitation.

Overview

Pipecat versions 0.0.41 through 0.0.93 contain a critical remote code execution vulnerability in the LivekitFrameSerializer class. This optional, non-default frame serializer (now deprecated) deserializes data from WebSocket clients using Python’s pickle.loads() without validation or sanitization. An unauthenticated attacker can send a malicious pickle payload via WebSocket to execute arbitrary commands on the Pipecat server.

Technical Details

The vulnerability exists in src/pipecat/serializers/livekit.py at line 73. The deserialize() method receives raw WebSocket message data from clients and passes it directly to pickle.loads(). Python’s pickle module is inherently unsafe when processing untrusted data, as it can reconstruct arbitrary objects and execute code during deserialization.

A Pipecat server configured to use LivekitFrameSerializer and listening on an external interface (such as 0.0.0.0) is exploitable. An attacker on the same network or the internet (if the service is exposed) can achieve full server compromise without authentication.

Impact

Successful exploitation grants an attacker full remote code execution on the Pipecat server with the privileges of the Pipecat process. This could lead to:

• Complete system compromise
• Data theft or destruction
• Lateral movement within the network
• Installation of persistent backdoors

The CVSS score of 9.8 reflects the maximum severity due to network-based exploitation, low complexity, no privileges required, and no user interaction needed.

Affected Versions

Pipecat versions 0.0.41 through 0.0.93 inclusive.

Remediation

Immediate Actions:

1. Stop using LivekitFrameSerializer - This class is deprecated and should not be used. Remove any configuration that references it.
2. Upgrade to Pipecat 0.0.94 - This version removes the vulnerable serializer and provides secure alternatives.
3. Use LiveKitTransport - If you require LiveKit functionality, switch to the recommended secure transport method.

Network-Level Mitigations:

• Ensure Pipecat servers are not exposed on public interfaces unless absolutely necessary.
• Restrict WebSocket access to trusted networks only.
• Apply firewall rules to limit inbound connections.

Secure Coding Practices:

• Never use pickle.loads() (or similar unsafe deserialization like yaml.load()) on untrusted data.
• Always validate and sanitize client-supplied data before processing.
• Conduct regular code audits for insecure deserialization patterns.

Security Insight

This vulnerability highlights a recurring pattern in Python frameworks where developers reach for pickle as a convenient serialization method, forgetting its fundamental design as a serialization format for trusted data - not a secure data format. The Pipecat team’s response (deprecating the class and providing secure alternatives) is commendable, but the incident underscores the importance of treating every network-facing component as a potential attack surface, even undocumented “optional” features. Organizations building real-time communication applications should enforce strict code review policies around deserialization and maintain an inventory of all network-exposed classes and their trust boundaries.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs