Pipecat Voice Agent Framework — Pickle Deserialization RCE (CVE-2025-62373)

AI relevance: Pipecat is a widely-used open-source Python framework for building real-time voice and multimodal conversational AI agents — the LivekitFrameSerializer component deserializes untrusted data via pickle, enabling full RCE on any voice AI server exposed to the network.

• CVE-2025-62373 — Critical RCE via insecure deserialization (CVSS 9.8) in pipecat-ai Python package
• Vulnerable component — LivekitFrameSerializer class uses pickle.loads() on attacker-controlled data
• Attack vector — Network-accessible Pipecat servers bound to external interfaces (e.g., 0.0.0.0) can receive malicious pickle payloads from any host on the network or internet
• Impact — Arbitrary code execution with full confidentiality, integrity, and availability compromise; no authentication or user interaction required
• Use case context — Voice AI agents built with Pipecat often handle sensitive conversations and may have access to downstream APIs, databases, and tool-calling integrations
• Pattern recognition — This is the third major pickle deserialization RCE found in AI/ML infrastructure this month, alongside Hugging Face LeRobot (CVE-2026-25874) and the broader Python ML ecosystem's reliance on unsafe serialization

Why it matters

Pickle deserialization vulnerabilities in AI frameworks are becoming a systemic pattern. Both Pipecat and Hugging Face LeRobot share the same root cause: using pickle.loads() to process data from untrusted network sources. Python's pickle format is fundamentally unsafe for any data that crosses a trust boundary — it can execute arbitrary code during deserialization, making it equivalent to eval() on serialized objects.

Voice AI agent frameworks like Pipecat are particularly risky attack surfaces because they handle real-time audio streams and often integrate with telephony systems, CRM platforms, and other enterprise tooling. A compromised voice agent server could intercept conversations, exfiltrate transcripts, or pivot into connected systems via the agent's tool integrations.

The ML ecosystem needs to converge on safe serialization standards. Hugging Face's safetensors was created for exactly this reason, but adoption remains inconsistent across the broader Python AI framework ecosystem.

What to do

• Audit all Pipecat deployments to verify the server is not bound to externally-reachable interfaces unless required
• Replace LivekitFrameSerializer with a safe serialization format (JSON, msgpack, or protobuf) that does not support arbitrary code execution
• Apply network-level controls: restrict access to Pipecat server ports using firewall rules and zero-trust network policies
• Monitor for deserialization-related CVEs in all Python AI frameworks in your stack — this pattern is recurring and likely to appear in other packages
• Advocate for framework maintainers to adopt safe-by-default serialization and publish security advisories for known unsafe patterns

Sources

• GitLab PyPI advisory — CVE-2025-62373
• SentinelOne vulnerability database
• CVEReports technical analysis