CRITICAL🇵🇱 Wersja polska

CVE-2024-5751

CVSS 9.8v3.1pub. 2024-06-27upd. 2024-11-21

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.

🤖 AI Analysis
How it works

The `add_deployment` function decodes base64-encoded data and decrypts environment variables, then assigns them directly to `os.environ`. An attacker can send a malicious payload to the `/config/update` endpoint, which is saved and processed by the server. When the `get_secret` function is subsequently called, the server executes the data provided by the attacker as code. The exploit requires the server to use Google KMS and a database to store model configurations.

Impact

An attacker can gain full control over the server through remote code execution, which may lead to violations of confidentiality, integrity, and system availability.

Mitigation & patch

Patches available from the vendor should be applied according to references. Additionally, until an update is applied, it is recommended to restrict access to the `/config/update` endpoint only to trusted, authenticated users and disable Google KMS configuration if it is not necessary.

Who is affected

BerriAI/litellm version v1.35.8, when the server is configured with Google KMS and a database for model storage

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Litellm

    APP
    Litellm
    1.35.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-42208CRITICAL9.3⚠ KEVPL ✓ten sam produkt

SQL Injection w LiteLLM umożliwia nieautoryzowany dostęp do bazy danych

CVE-2026-33634CRITICAL9.4⚠ KEVPL ✓ten sam produkt

Atak supply chain na Trivy — złośliwe tagi GitHub Actions i obraz kontenera

CVE-2026-49468CRITICAL9.5PL ✓ten sam produkt

Krytyczna podatność w LiteLLM (AI Gateway) — obejście uwierzytelniania

CVE-2026-35030CRITICAL9.4PL ✓ten sam produkt

LiteLLM: pominięcie uwierzytelnienia JWT przez kolizję klucza cache (Auth Bypass)

CVE-2024-2952CRITICAL9.8PL ✓ten sam produkt

BerriAI LiteLLM – SSTI via Jinja umożliwia RCE przez endpoint /completions