Pipecat LivekitFrameSerializer Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Pipecat versions 0.0.41 through 0.0.93, specifically within the `LivekitFrameSerializer` class. This optional and now-deprecated serializer, intended for LiveKit integration, contains a flaw in its `deserialize()` method. The method uses Python's `pickle.loads()` to process data from WebSocket clients without any validation or sanitization. As a result, a malicious WebSocket client can send a crafted pickle payload that, when deserialized, executes arbitrary code on the Pipecat server. The vulnerability is exploitable if the server is configured to use this serializer and is listening on an external interface.

Impact

Exploitation of this vulnerability allows for remote code execution on the Pipecat server. An attacker can execute arbitrary commands or code with the same privileges as the Pipecat process, potentially leading to a full compromise of the server.

Reproduction

To reproduce this vulnerability, first, start a Pipecat WebSocket server with the `LivekitFrameSerializer` enabled, binding it to an external interface. Then, send a malicious pickle payload from a WebSocket client to exploit the deserialization flaw and execute arbitrary code on the server.

Remediation

Users should upgrade to Pipecat version 0.0.94 or later, discontinue use of the `LivekitFrameSerializer`, and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, follow secure coding practices by avoiding unsafe deserialization and improving network security configurations.