CVE-2025-3108
BaseFortify
Publication date: 2025-07-06
Last updated on: 2025-07-30
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| llamaindex | llamaindex | From 0.12.27 (inc) to 0.12.41 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1112 | The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical deserialization flaw in the run-llama/llama_index library's JsonPickleSerializer component. It occurs because the component insecurely falls back to using Python's pickle.loads() for deserialization, which can execute arbitrary code if given malicious input. This means attackers can craft malicious payloads that, when deserialized, allow them to execute code remotely on the affected system.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution, allowing attackers to run arbitrary code on your system. This can result in full system compromise, potentially giving attackers control over your environment, access to sensitive data, and the ability to disrupt services.