PatchSiren cyber security CVE debrief
CVE-2024-14021 run-llama CVE debrief
CVE-2024-14021 is an unsafe deserialization vulnerability in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6. The vulnerability exists in the BGEM3Index.load_from_disk() function in llama_index/indices/managed/bge_m3/base.py, which uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. This vulnerability has a high impact and requires immediate attention from users of LlamaIndex.
- Vendor
- run-llama
- Product
- llama_index
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-12
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-01-12
- Advisory updated
- 2026-07-14
Who should care
Users of LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 should be aware of this vulnerability and take steps to mitigate it. This includes ensuring that the persist directory is validated and that only trusted pickle files are deserialized. Additionally, users should monitor for suspicious activity and keep LlamaIndex up to date with the latest security patches.
Technical summary
The vulnerability exists in the BGEM3Index.load_from_disk() function in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. This allows an attacker to provide a crafted persist directory containing a malicious pickle file, which can trigger arbitrary code execution when the victim loads the index from disk. The vulnerability has a CVSS score of 8.4 and is classified as HIGH severity.
Defensive priority
High
Recommended defensive actions
- Validate the persist directory to ensure it is trusted
- Use secure deserialization methods, such as using a secure pickle file or validating the pickle file before deserialization
- Monitor for suspicious activity, such as unexpected code execution or unusual network activity
- Keep LlamaIndex (run-llama/llama_index) up to date with the latest security patches
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-01-12T23:15:51.413Z and has not been modified since then. The NVD entry is currently Analyzed. The vulnerability exists in the BGEM3Index.load_from_disk() function in llama_index/indices/managed/bge_m3/base.py, which uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. This allows an attacker to provide a crafted persist directory containing a malicious pickle file, which can trigger arbitrary code execution when the victim loads the index from disk. Evidence is limited to CVE and NVD details.
Official resources
-
CVE-2024-14021 CVE record
CVE.org
-
CVE-2024-14021 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-12T23:15:51.413Z and has not been modified since then. The NVD entry is currently Analyzed.