CVE-2024-4264
📋 TL;DR
This CVE describes a critical remote code execution vulnerability in the berriai/litellm project where untrusted input is passed directly to the eval() function without sanitization. Attackers can exploit this by injecting malicious code through environment variables via the /config/update endpoint, potentially gaining full control of affected systems. Organizations using litellm with Google KMS integration are affected.
💻 Affected Systems
- berriai/litellm
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, or pivot to other systems in the network.
Likely Case
Attackers gain shell access to the litellm server, potentially accessing API keys, model configurations, and other sensitive credentials stored in the environment.
If Mitigated
With proper network segmentation and access controls, impact is limited to the litellm service instance, though sensitive credentials could still be compromised.
🎯 Exploit Status
Exploitation requires access to the /config/update endpoint. The vulnerability is straightforward to exploit once an attacker can modify configuration settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check the official GitHub repository for the specific fixed version
Vendor Advisory: https://github.com/berriai/litellm/security/advisories
Restart Required: Yes
Instructions:
1. Update litellm to the latest patched version. 2. Review and update proxy_server_config.yaml to remove any malicious entries. 3. Restart the litellm service. 4. Rotate all API keys and secrets that may have been exposed.
🔧 Temporary Workarounds
Disable Google KMS Integration
allTemporarily disable Google KMS usage in litellm configuration to prevent exploitation
Edit proxy_server_config.yaml and remove or comment out Google KMS configuration sections
Restrict /config/update Endpoint
allApply network access controls to limit who can access the configuration update endpoint
Configure firewall rules or web application firewall to restrict access to /config/update endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to isolate litellm instances from sensitive systems
- Monitor and alert on any modifications to proxy_server_config.yaml or unexpected eval() function calls
🔍 How to Verify
Check if Vulnerable:
Check if your litellm version is affected by reviewing the GitHub security advisory and comparing with your installed versionCheck Version:
pip show litellm | grep VersionVerify Fix Applied:
Verify the fix by checking that eval() is no longer used unsafely in the get_secret() method and that input validation has been implemented📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to proxy_server_config.yaml
- Unexpected eval() function calls in application logs
- Suspicious environment variable changes
Network Indicators:
- Unusual requests to /config/update endpoint
- Outbound connections to unexpected destinations from litellm process
SIEM Query:
source="litellm_logs" AND (uri_path="/config/update" OR message="eval" OR message="get_secret")