BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.
The `add_deployment` function decodes base64-encoded data and decrypts environment variables, then assigns them directly to `os.environ`. An attacker can send a malicious payload to the `/config/update` endpoint, which is saved and processed by the server. When the `get_secret` function is subsequently called, the server executes the data provided by the attacker as code. The exploit requires the server to use Google KMS and a database to store model configurations.
An attacker can gain full control over the server through remote code execution, which may lead to violations of confidentiality, integrity, and system availability.
Patches available from the vendor should be applied according to references. Additionally, until an update is applied, it is recommended to restrict access to the `/config/update` endpoint only to trusted, authenticated users and disable Google KMS configuration if it is not necessary.
BerriAI/litellm version v1.35.8, when the server is configured with Google KMS and a database for model storage
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLitellm
APPLitellm1.35.8
Related vulnerabilities
SQL Injection w LiteLLM umożliwia nieautoryzowany dostęp do bazy danych
Atak supply chain na Trivy — złośliwe tagi GitHub Actions i obraz kontenera
Krytyczna podatność w LiteLLM (AI Gateway) — obejście uwierzytelniania
LiteLLM: pominięcie uwierzytelnienia JWT przez kolizję klucza cache (Auth Bypass)
BerriAI LiteLLM – SSTI via Jinja umożliwia RCE przez endpoint /completions