CVE-2024-5751 – This vulnerability allows remote code execution... (How to Fix)

📋 TL;DR

This vulnerability allows remote code execution in BerriAI/litellm when an attacker sends a malicious payload to the /config/update endpoint. The vulnerability occurs when environment variables are improperly decoded and assigned to os.environ, enabling arbitrary code execution. Systems using litellm v1.35.8 with Google KMS and database storage for models are affected.

💻 Affected Systems

Products:

BerriAI/litellm

Versions: v1.35.8

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires Google KMS configuration and database storage for models to be vulnerable.

📦 What is this software?

Litellm by Litellm

View all CVEs affecting Litellm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Attacker executes arbitrary commands on the server, potentially accessing sensitive data, modifying configurations, or disrupting services.

🟢

If Mitigated

Limited impact with proper input validation and environment isolation preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the /config/update endpoint and specific configuration conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.35.9 or later

Vendor Advisory: https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce

Restart Required: Yes

Instructions:

1. Update litellm to version v1.35.9 or later using pip install --upgrade litellm==1.35.9
2. Restart all litellm services
3. Verify the update with pip show litellm

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block or disable access to the /config/update endpoint

Configure firewall rules to block /config/update endpoint
Modify application routing to disable this endpoint

Input validation

all

Implement strict input validation for environment variable decoding

Add validation checks in add_deployment function before os.environ assignment

🧯 If You Can't Patch

Implement network segmentation to isolate litellm instances from critical systems
Deploy web application firewall with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running litellm version v1.35.8 and configured with Google KMS and database model storage

Check Version:

pip show litellm | grep Version

Verify Fix Applied:

Verify litellm version is v1.35.9 or later and test /config/update endpoint with safe payloads

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /config/update endpoint
Base64 encoded payloads in request logs
Unexpected environment variable modifications

Network Indicators:

POST requests to /config/update with encoded payloads
Unusual outbound connections from litellm server

SIEM Query:

source="web_logs" AND uri_path="/config/update" AND (payload_contains="base64" OR payload_size>1000)

📊 Metadata

CVE ID: CVE-2024-5751

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 27, 2024

Last Updated: November 21, 2024

🔗 References

https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce Third Party Advisory
https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5751, you might also want to check these: