The vulnerability in pipecat (CVE-2025-62373) arises from unsafe deserialization in the LivekitFrameSerializer class, which is optional, deprecated, and undocumented. The deserialize() method directly calls Python's pickle.loads() on data received from WebSocket clients without any sanitization, allowing a malicious client to send crafted pickle payloads that execute arbitrary code on the server. This affects pipecat versions from 0.0.41 up to but not including 0.0.94. The issue is fixed in version 0.0.94 by removing or replacing the vulnerable deserialization approach. The vulnerability is critical with a CVSS 3.1 score of 9.8, reflecting network attack vector, no privileges required, no user interaction, and full confidentiality, integrity, and availability impact.

An attacker who can connect to a pipecat server configured with the vulnerable LivekitFrameSerializer and exposed on an external interface can achieve remote code execution on the server. This can lead to full compromise of the affected system, including unauthorized data access, modification, and service disruption. The vulnerability is critical due to the ease of exploitation (no privileges or user interaction required) and the severity of impact (complete system compromise).

A fix is available in pipecat version 0.0.94, which removes or replaces the unsafe deserialization method. Users should upgrade to version 0.0.94 or later. The best mitigation is to stop using the deprecated LivekitFrameSerializer entirely. For those requiring LiveKit integration, switch to the recommended LiveKitTransport or other secure methods provided by the framework. Additionally, avoid using Python pickle or similar unsafe deserialization on network-facing components and never trust client-supplied data. Since this is not a cloud service, remediation depends on user upgrades and configuration changes.