BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.
The `hf_chat_template` method processes the `chat_template` parameter read from the `tokenizer_config.json` file directly through the Jinja2 template engine without proper input sanitization. An attacker can craft a malicious `tokenizer_config.json` file containing Jinja2 template directives that will be executed on the server side. The absence of any authentication requirements (PR:N, UI:N) makes the exploit remotely executable over the network without user interaction.
Successful exploitation enables an attacker to achieve complete remote code execution (RCE) on the server, which may lead to full control over the host, data theft, and compromise of the confidentiality and integrity of the environment.
BerriAI LiteLLM should be updated to a version containing commit 8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3 or newer, available in the BerriAI project GitHub repository. Until the patch is deployed, it is recommended to restrict network access to the `/completions` endpoint and implement strict controls over the sources of `tokenizer_config.json` files processed by the service.
BerriAI LiteLLM product — versions specified in producer references (patched commit: 8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3).
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLitellm
APPLitellm< 1.34.42
Related vulnerabilities
SQL Injection w LiteLLM umożliwia nieautoryzowany dostęp do bazy danych
Atak supply chain na Trivy — złośliwe tagi GitHub Actions i obraz kontenera
Krytyczna podatność w LiteLLM (AI Gateway) — obejście uwierzytelniania
LiteLLM: pominięcie uwierzytelnienia JWT przez kolizję klucza cache (Auth Bypass)
RCE w BerriAI/litellm poprzez endpoint /config/update