CVE-2025-62373: Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer

A critical vulnerability exists in Pipecat’s LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class’s deserialize() method uses Python’s pickle.loads() on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in src/pipecat/serializers/livekit.py (around line 73), where untrusted WebSocket message data is passed directly into pickle.loads() for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload.