Piwigo is a full featured open source photo gallery application for the web
Description
Piwigo is a full featured open source photo gallery application for the web
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Pipecat
PRODUCT: Pipecat
AFFECTED_VERSIONS: 0.0.41 through 0.0.93
---END_METADATA---
Description Summary:
A deserialization vulnerability in the
LivekitFrameSerializerclass of the Pipecat framework allows remote attackers to execute arbitrary code via malicious pickle payloads.Executive Summary:
A critical insecure deserialization vulnerability in the Pipecat framework allows remote attackers to achieve arbitrary code execution on servers configured with the deprecated
LivekitFrameSerializer.Vulnerability Details
CVE-ID: CVE-2025-62373
Affected Software: Pipecat
Affected Versions: 0.0.41 through 0.0.93
Vulnerability: The
LivekitFrameSerializerclass usespickle.loads()on untrusted WebSocket data without validation. An unauthenticated attacker can send a crafted payload to execute code on the server.Business Impact
With a CVSS score of 9.8, this vulnerability allows for complete server compromise. If the server is exposed to the internet, attackers can gain full control over the host, leading to data breaches and potential lateral movement into the internal network.
Remediation Plan
Immediate Action: Upgrade to Pipecat version 0.0.94 or higher and cease usage of the vulnerable
LivekitFrameSerializer.Proactive Monitoring: Inspect application logs for signs of deserialization errors or unexpected process spawns originating from WebSocket handlers.
Compensating Controls: Isolate the service using network segmentation and ensure it is not exposed to the public internet unless absolutely necessary.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Apr 23, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The use of insecure deserialization is a high-risk practice that must be eliminated. Developers using Pipecat should immediately migrate to the latest version and transition to the recommended
LiveKitTransportto ensure long-term security.