Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-2952

Summary
Assigner-@huntr_ai
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-10 Apr, 2024 | 17:07
Updated At-01 Aug, 2024 | 19:32
Rejected At-
Credits

Server-Side Template Injection in BerriAI/litellm

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntr_ai
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:10 Apr, 2024 | 17:07
Updated At:01 Aug, 2024 | 19:32
Rejected At:
▼CVE Numbering Authority (CNA)
Server-Side Template Injection in BerriAI/litellm

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

Affected Products
Vendor
berriai
Product
berriai/litellm
Versions
Affected
  • From unspecified before 1.34.42 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-76CWE-76 Improper Neutralization of Equivalent Special Elements
Type: CWE
CWE ID: CWE-76
Description: CWE-76 Improper Neutralization of Equivalent Special Elements
Metrics
VersionBase scoreBase severityVector
3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4
N/A
https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
N/A
Hyperlink: https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4
Resource: N/A
Hyperlink: https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
berriai
Product
litellm
CPEs
  • cpe:2.3:a:berriai:litellm:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 1.23.2 before 1.34.42 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4
x_transferred
https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
x_transferred
Hyperlink: https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4
Resource:
x_transferred
Hyperlink: https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:10 Apr, 2024 | 17:15
Updated At:15 Jul, 2025 | 14:21

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
litellm
litellm
>>litellm>>Versions before 1.34.42(exclusive)
cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-76Secondarysecurity@huntr.dev
CWE ID: CWE-76
Type: Secondary
Source: security@huntr.dev
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3security@huntr.dev
Patch
https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4security@huntr.dev
Exploit
Third Party Advisory
https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3af854a3a-2127-422b-91ae-364da2661108
Patch
https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4
Source: security@huntr.dev
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2024-4264
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-4.64% / 88.86%
||
7 Day CHG~0.00%
Published-18 May, 2024 | 00:00
Updated-03 Sep, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in berriai/litellm

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`.

Action-Not Available
Vendor-berriaiberriai
Product-berriai/litellmlitellm
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-5751
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-4.02% / 88.00%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 18:40
Updated-20 Sep, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in BerriAI/litellm

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.

Action-Not Available
Vendor-litellmberriaiberriai
Product-litellmberriai/litellmlitellm
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
Details not found