LlamaIndex Unsafe Deserialization Vulnerability in BGEM3Index Allowing Arbitrary Code Execution

A vulnerability exists in LlamaIndex versions through 0.11.6, specifically in the BGEM3Index class's load_from_disk() method. This vulnerability arises from unsafe deserialization using pickle.load() to read a user-supplied file, multi_embed_store.pkl, without proper validation. An attacker can exploit this by crafting a persist directory with a malicious pickle file, leading to arbitrary code execution when the index is loaded from disk.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the machine loading the affected index.

Reproduction

To reproduce this vulnerability, create a directory structure that mimics the expected input for the BGEM3Index load_from_disk() function. This includes a 'multi_embed_store.pkl' file containing a pickled object with a malicious payload, such as a command to be executed on the system. Once this crafted directory is prepared, it can be loaded using the BGEM3Index class, triggering the execution of the embedded command.

Remediation

Users are advised to update to LlamaIndex version 0.11.7 or later, where this vulnerability has been addressed.