CRITICAL🇵🇱 Wersja polska

CVE-2024-2952

CVSS 9.8v3.0pub. 2024-04-10upd. 2025-07-15

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

🤖 AI Analysis
How it works

The `hf_chat_template` method processes the `chat_template` parameter read from the `tokenizer_config.json` file directly through the Jinja2 template engine without proper input sanitization. An attacker can craft a malicious `tokenizer_config.json` file containing Jinja2 template directives that will be executed on the server side. The absence of any authentication requirements (PR:N, UI:N) makes the exploit remotely executable over the network without user interaction.

Impact

Successful exploitation enables an attacker to achieve complete remote code execution (RCE) on the server, which may lead to full control over the host, data theft, and compromise of the confidentiality and integrity of the environment.

Mitigation & patch

BerriAI LiteLLM should be updated to a version containing commit 8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3 or newer, available in the BerriAI project GitHub repository. Until the patch is deployed, it is recommended to restrict network access to the `/completions` endpoint and implement strict controls over the sources of `tokenizer_config.json` files processed by the service.

Who is affected

BerriAI LiteLLM product — versions specified in producer references (patched commit: 8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Litellm

    APP
    Litellm
    < 1.34.42
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-42208CRITICAL9.3⚠ KEVPL ✓ten sam produkt

SQL Injection w LiteLLM umożliwia nieautoryzowany dostęp do bazy danych

CVE-2026-33634CRITICAL9.4⚠ KEVPL ✓ten sam produkt

Atak supply chain na Trivy — złośliwe tagi GitHub Actions i obraz kontenera

CVE-2026-49468CRITICAL9.5PL ✓ten sam produkt

Krytyczna podatność w LiteLLM (AI Gateway) — obejście uwierzytelniania

CVE-2026-35030CRITICAL9.4PL ✓ten sam produkt

LiteLLM: pominięcie uwierzytelnienia JWT przez kolizję klucza cache (Auth Bypass)

CVE-2024-5751CRITICAL9.8PL ✓ten sam produkt

RCE w BerriAI/litellm poprzez endpoint /config/update