CVE-2025-62373 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 23, 2026
Pipecat - Remote Code Execution
Published: April 23, 2026Updated: April 23, 2026Remote Exploitable
Overview
Pipecat 0.0.41 through 0.0.93 contains a remote code execution caused by unsafe deserialization using pickle.loads() in LivekitFrameSerializer, letting remote attackers execute arbitrary code via crafted WebSocket payloads, exploit requires server configured with LivekitFrameSerializer and network exposure.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote attackers can execute arbitrary code on the Pipecat server, potentially leading to full system compromise.
Mitigation
Upgrade to version 0.0.94 or later and avoid using LivekitFrameSerializer; use LiveKitTransport or other secure methods instead.
Related Resources
Details
- CVE ID
- CVE-2025-62373
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- insecure_deserialization
- Status
- new
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H