Description
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.
Published: 2026-04-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Pipecat contains a code execution flaw due to an unsafe use of Python’s pickle deserialization in its optional LivekitFrameSerializer. The serializer accepts data from WebSocket clients and passes it directly to pickle.loads without any validation or sanitization. This leads to arbitrary code execution when a crafted pickle payload is sent, a classic instance of insecure deserialization (CWE‑502). The vulnerability exposes the hosting server to full compromise of confidentiality, integrity, and availability if exploited.

Affected Systems

The issue affects the open‑source Python framework developed by pipecat‑ai, specifically the pipecat package. Versions ranging from 0.0.41 through 0.0.93 are vulnerable. The fix was rolled out in release 0.0.94, which removes the insecure deserialization path. Attackers can target any instance that is configured to use the deprecated LivekitFrameSerializer and is reachable on an external interface such as 0.0.0.0, whether exposed on the local network or the public internet.

Risk and Exploitability

The flaw carries a high severity with a CVSS score of 9.8. The EPSS score is below 1%, indicating that currently there are few known exploits, but the risk remains significant because the attack vector would be a network‑side WebSocket connection, which is trivial to establish against exposed services. The vulnerability is not listed in the CISA KEV catalog, but the combination of a high CVSS and the nature of the flaw warrants prompt remediation wherever the vulnerable serializer is active.

Generated by OpenCVE AI on April 28, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Stop using the LivekitFrameSerializer entirely and remove it from your Pipecat configuration
  • Upgrade the Pipecat package to version 0.0.94 or later, which removes the unsafe deserialization logic
  • If LiveKit functionality is required, switch to the recommended LiveKitTransport or another secure transport mechanism provided by the framework
  • Restrict the Pipecat service to local interfaces or protect it with a firewall so that only trusted hosts can reach the WebSocket endpoint

Generated by OpenCVE AI on April 28, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c2jg-5cp7-6wc7 Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer
History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Pipecat
Pipecat pipecat
CPEs cpe:2.3:a:pipecat:pipecat:*:*:*:*:*:*:*:*
Vendors & Products Pipecat
Pipecat pipecat

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pipecat-ai
Pipecat-ai pipecat
Vendors & Products Pipecat-ai
Pipecat-ai pipecat

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.
Title Pipecat vulnerable to Remote Code Execution by Pickle Deserialization via LivekitFrameSerializer
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pipecat Pipecat
Pipecat-ai Pipecat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T18:35:54.660Z

Reserved: 2025-10-10T14:22:48.204Z

Link: CVE-2025-62373

cve-icon Vulnrichment

Updated: 2026-04-23T18:35:49.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T16:16:24.140

Modified: 2026-04-29T15:00:38.423

Link: CVE-2025-62373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses