PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-14021 run-llama CVE debrief

CVE-2024-14021 is an unsafe deserialization vulnerability in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6. The vulnerability exists in the BGEM3Index.load_from_disk() function in llama_index/indices/managed/bge_m3/base.py, which uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. This vulnerability has a high impact and requires immediate attention from users of LlamaIndex.

Vendor
run-llama
Product
llama_index
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-12
Original CVE updated
2026-07-14
Advisory published
2026-01-12
Advisory updated
2026-07-14

Who should care

Users of LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 should be aware of this vulnerability and take steps to mitigate it. This includes ensuring that the persist directory is validated and that only trusted pickle files are deserialized. Additionally, users should monitor for suspicious activity and keep LlamaIndex up to date with the latest security patches.

Technical summary

The vulnerability exists in the BGEM3Index.load_from_disk() function in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. This allows an attacker to provide a crafted persist directory containing a malicious pickle file, which can trigger arbitrary code execution when the victim loads the index from disk. The vulnerability has a CVSS score of 8.4 and is classified as HIGH severity.

Defensive priority

High

Recommended defensive actions

  • Validate the persist directory to ensure it is trusted
  • Use secure deserialization methods, such as using a secure pickle file or validating the pickle file before deserialization
  • Monitor for suspicious activity, such as unexpected code execution or unusual network activity
  • Keep LlamaIndex (run-llama/llama_index) up to date with the latest security patches
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-01-12T23:15:51.413Z and has not been modified since then. The NVD entry is currently Analyzed. The vulnerability exists in the BGEM3Index.load_from_disk() function in llama_index/indices/managed/bge_m3/base.py, which uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. This allows an attacker to provide a crafted persist directory containing a malicious pickle file, which can trigger arbitrary code execution when the victim loads the index from disk. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-12T23:15:51.413Z and has not been modified since then. The NVD entry is currently Analyzed.