pipecat-ai 0.0.93

Direct Vulnerabilities

Known vulnerabilities in the pipecat-ai package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Directory Traversal pipecat-ai is an An open source framework for voice (and multimodal) assistants Affected versions of this package are vulnerable to Directory Traversal via the `download_file()` function in the `GET /files/{filename:path}` endpoint when the process is started with the `--folder` flag. An attacker can access arbitrary files readable by the process by sending specially crafted HTTP requests containing percent-encoded path separators in the `filename` parameter. How to fix Directory Traversal? Upgrade `pipecat-ai` to version 1.2.0 or higher.	[0.0.90,1.2.0)
C Deserialization of Untrusted Data pipecat-ai is an An open source framework for voice (and multimodal) assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the `deserialize` function of the `LivekitFrameSerializer` class, which uses `pickle.loads` on untrusted data received from WebSocket clients. An attacker can execute arbitrary code on the server by sending a specially crafted pickle payload over the network. This is only exploitable if the application is explicitly configured to use the `LivekitFrameSerializer` and the WebSocket server is accessible to untrusted clients. How to fix Deserialization of Untrusted Data? Upgrade `pipecat-ai` to version 0.0.94 or higher.	[,0.0.94)

Vulnerability

Vulnerable Version

Directory Traversal

pipecat-ai is an An open source framework for voice (and multimodal) assistants

Affected versions of this package are vulnerable to Directory Traversal via the download_file() function in the GET /files/{filename:path} endpoint when the process is started with the --folder flag. An attacker can access arbitrary files readable by the process by sending specially crafted HTTP requests containing percent-encoded path separators in the filename parameter.

How to fix Directory Traversal?

Upgrade pipecat-ai to version 1.2.0 or higher.

[0.0.90,1.2.0)

Deserialization of Untrusted Data

pipecat-ai is an An open source framework for voice (and multimodal) assistants

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from WebSocket clients. An attacker can execute arbitrary code on the server by sending a specially crafted pickle payload over the network. This is only exploitable if the application is explicitly configured to use the LivekitFrameSerializer and the WebSocket server is accessible to untrusted clients.

How to fix Deserialization of Untrusted Data?

Upgrade pipecat-ai to version 0.0.94 or higher.

[,0.0.94)

pipecat-ai@0.0.93

An open source framework for voice (and multimodal) assistants

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically