{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/litellm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40217"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-40217","litellm","rce","bytecode-rewriting"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLiteLLM, a library for simplifying interactions with Large Language Models (LLMs), is vulnerable to remote code execution (RCE) through version 2026-04-08. The vulnerability, identified as CVE-2026-40217, exists due to insufficient input validation at the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e URI. A remote attacker can exploit this flaw by rewriting bytecode, effectively injecting and executing arbitrary code on the server hosting LiteLLM. This vulnerability poses a significant risk, as it allows unauthenticated attackers with network access to the affected server to gain complete control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a LiteLLM instance running a vulnerable version (\u0026lt;= 2026-04-08) with the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e endpoint exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e URI.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes specially crafted data designed to rewrite the bytecode executed by the LiteLLM instance.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM application, due to the vulnerability, processes the attacker-supplied data without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe application rewrites its own bytecode based on the attacker\u0026rsquo;s input.\u003c/li\u003e\n\u003cli\u003eThe rewritten bytecode contains malicious code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe application executes the rewritten bytecode, effectively executing the attacker\u0026rsquo;s injected code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server, allowing them to compromise the system, install malware, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40217 allows unauthenticated remote attackers to execute arbitrary code on systems running vulnerable versions of LiteLLM. This can lead to complete system compromise, including data theft, ransomware deployment, and denial of service. The vulnerability could affect any organization utilizing LiteLLM for LLM interaction, particularly those exposing the vulnerable endpoint to untrusted networks. The impact is rated as critical due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patches or upgrade to a version of LiteLLM that addresses CVE-2026-40217 immediately.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e endpoint, as referenced in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect LiteLLM Bytecode Rewrite Attempt\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/guardrails/test_custom_code\u003c/code\u003e URI, using the log source specified in the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-litellm-rce/","summary":"LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI, potentially leading to complete system compromise.","title":"LiteLLM Remote Code Execution via Bytecode Rewriting (CVE-2026-40217)","url":"https://feed.craftedsignal.io/briefs/2026-04-litellm-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["litellm","authentication-bypass","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLiteLLM versions prior to 1.83.0 are vulnerable to an authentication bypass vulnerability. User passwords are stored as unsalted SHA-256 hashes, a weak cryptographic practice that makes them susceptible to rainbow table attacks. Furthermore, these password hashes are exposed through several API endpoints, including \u003ccode\u003e/user/info\u003c/code\u003e, \u003ccode\u003e/user/update\u003c/code\u003e, and \u003ccode\u003e/spend/users\u003c/code\u003e, allowing any authenticated user to retrieve them. The \u003ccode\u003e/v2/login\u003c/code\u003e endpoint also accepts the raw SHA-256 hash as a valid password without proper re-hashing. This combination of vulnerabilities allows an attacker with low-level access to escalate privileges by obtaining another user\u0026rsquo;s password hash and using it to directly log in as that user. Defenders should upgrade to version 1.83.0 or later to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to LiteLLM and authenticates as a low-privilege user.\u003c/li\u003e\n\u003cli\u003eAttacker sends a request to \u003ccode\u003e/user/info\u003c/code\u003e to retrieve the password hash of another user.\u003c/li\u003e\n\u003cli\u003eThe API responds with the target user\u0026rsquo;s SHA-256 password hash.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to the \u003ccode\u003e/v2/login\u003c/code\u003e endpoint using the stolen SHA-256 hash as the password.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/v2/login\u003c/code\u003e endpoint accepts the raw SHA-256 hash without re-hashing.\u003c/li\u003e\n\u003cli\u003eThe server authenticates the attacker as the target user.\u003c/li\u003e\n\u003cli\u003eAttacker now has the privileges of the target user, potentially gaining access to sensitive data or administrative functions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to unauthorized access and privilege escalation within the LiteLLM application. An attacker can impersonate other users, including administrators, potentially leading to data breaches, system compromise, and unauthorized modifications. The number of victims depends on the deployment size, but any LiteLLM instance running a version prior to 1.83.0 is vulnerable. Sectors utilizing LiteLLM are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.0 or later to patch the vulnerability (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM User Info Hash Access\u0026rdquo; to monitor for unauthorized access to user password hashes via the \u003ccode\u003e/user/info\u003c/code\u003e endpoint (reference: rule: \u0026ldquo;Detect LiteLLM User Info Hash Access\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM Login with SHA256 Hash\u0026rdquo; to detect login attempts using SHA256 hashes (reference: rule: \u0026ldquo;Detect LiteLLM Login with SHA256 Hash\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:04:12Z","date_published":"2026-04-08T00:04:12Z","id":"/briefs/2024-01-09-litellm-auth-bypass/","summary":"LiteLLM versions before 1.83.0 stored user passwords as unsalted SHA-256 hashes and exposed these hashes through multiple API endpoints, enabling an authenticated user to retrieve another user's password hash and use it to log in as that user due to the /v2/login endpoint accepting the raw SHA-256 hash without re-hashing, leading to potential privilege escalation.","title":"LiteLLM Authentication Bypass via Password Hash Exposure and Pass-the-Hash","url":"https://feed.craftedsignal.io/briefs/2024-01-09-litellm-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","pypi","litellm","compromise"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 24, 2026, versions 1.82.7 and 1.82.8 of the Litellm package, available on the Python Package Index (PyPI), were reported as compromised. This supply chain attack potentially affects thousands of users who may have updated to the malicious versions. The compromised packages could contain malicious code injected by an unknown threat actor. Users are advised to avoid updating to these versions and investigate their systems for potential compromise. The initial report came from a Reddit post and links to a blog post for further details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eWhile the specifics of the attack chain are not fully detailed in the source, a typical supply chain attack targeting PyPI packages involves the following steps:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Compromise:\u003c/strong\u003e Threat actor gains unauthorized access to the Litellm PyPI account or the build environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Injection:\u003c/strong\u003e The attacker injects malicious code into the setup.py or other relevant files within the Litellm package. This malicious code could be designed to execute upon installation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVersion Release:\u003c/strong\u003e The compromised versions, 1.82.7 and 1.82.8, are released to PyPI, making them available for users to download and install.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Installation:\u003c/strong\u003e Users unknowingly download and install the compromised Litellm package using pip, triggering the execution of the injected malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The malicious code may establish a reverse shell, download additional payloads, or perform other actions to gain initial access to the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker may establish persistence on the compromised system through various techniques, such as creating scheduled tasks or modifying startup scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malware Deployment:\u003c/strong\u003e Depending on the attacker\u0026rsquo;s objective, they may exfiltrate sensitive data, deploy ransomware, or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker may attempt to move laterally to other systems within the compromised network, escalating their access and expanding their reach.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of Litellm versions 1.82.7 and 1.82.8 could lead to widespread compromise of systems that use the package. The injected malicious code could enable attackers to steal sensitive information, deploy malware, or gain unauthorized access to victim systems. The number of affected users is estimated to be in the thousands. This incident highlights the risks associated with supply chain attacks targeting open-source software repositories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately stop updating to Litellm versions 1.82.7 and 1.82.8.\u003c/li\u003e\n\u003cli\u003eRevert to a known-good version of Litellm prior to 1.82.7.\u003c/li\u003e\n\u003cli\u003eAnalyze network connections for suspicious traffic originating from systems where the compromised Litellm versions were installed, using network connection logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for suspicious processes spawned from Python executables where Litellm is installed, using process creation logs and the Sigma rules provided below.\u003c/li\u003e\n\u003cli\u003eInvestigate systems where Litellm 1.82.7 or 1.82.8 were installed for any signs of compromise.\u003c/li\u003e\n\u003cli\u003eReview the blog post at \u003ca href=\"https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/\"\u003ehttps://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/\u003c/a\u003e for further details on the compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:12:58Z","date_published":"2026-03-24T12:12:58Z","id":"/briefs/2024-01-litellm-compromise/","summary":"Versions 1.82.7 and 1.82.8 of the Litellm package on PyPI were compromised in a supply chain attack, potentially impacting numerous users, with recommendations to avoid updating to these versions.","title":"Compromised Litellm PyPI Package Versions","url":"https://feed.craftedsignal.io/briefs/2024-01-litellm-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["litellm"],"_cs_severities":["critical"],"_cs_tags":["sqli","litellm","web-application"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability has been identified in LiteLLM, specifically affecting versions 1.81.16 through 1.83.6. The vulnerability resides within the proxy API key verification process. Due to improper sanitization of the \u003ccode\u003eAuthorization\u003c/code\u003e header, an unauthenticated attacker can inject arbitrary SQL commands. This is achieved by sending a specially crafted header to any LLM API route, such as \u003ccode\u003ePOST /chat/completions\u003c/code\u003e, which triggers the vulnerable query through the proxy\u0026rsquo;s error-handling mechanism. Defenders should prioritize patching to version 1.83.7 or later to mitigate this risk, or implement the suggested workaround.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP \u003ccode\u003eAuthorization\u003c/code\u003e header to a LiteLLM API endpoint (e.g., \u003ccode\u003e/chat/completions\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy receives the request and extracts the API key from the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the API key value is directly concatenated into a SQL query string.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SQL query is executed against the proxy\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code to read sensitive data, such as user credentials or API keys, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may further inject SQL code to modify data, potentially granting themselves administrative privileges or compromising other users\u0026rsquo; accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the LiteLLM proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised proxy to access and control connected LLMs, exfiltrate data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to complete compromise of the LiteLLM proxy. Attackers could read or modify sensitive data within the proxy\u0026rsquo;s database, including API keys and credentials. This could lead to unauthorized access to managed LLMs and potentially allow attackers to exfiltrate sensitive data, disrupt services, or gain a foothold for further attacks within the compromised environment. The impact is significant due to the potential for widespread data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.7 or later to patch the SQL injection vulnerability as detailed in the advisory \u003ca href=\"https://github.com/advisories/GHSA-r75f-5x8p-qvmc\"\u003eGHSA-r75f-5x8p-qvmc\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, set \u003ccode\u003edisable_error_logs: true\u003c/code\u003e in the \u003ccode\u003egeneral_settings\u003c/code\u003e configuration to mitigate the risk as described in the advisory \u003ca href=\"https://github.com/advisories/GHSA-r75f-5x8p-qvmc\"\u003eGHSA-r75f-5x8p-qvmc\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious \u003ccode\u003eAuthorization\u003c/code\u003e headers containing SQL injection payloads to detect potential exploitation attempts. Deploy the provided Sigma rule targeting HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-08T12:00:00Z","date_published":"2024-11-08T12:00:00Z","id":"/briefs/2024-11-litellm-sqli/","summary":"A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.","title":"LiteLLM Proxy API Key Verification SQL Injection","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["LiteLLM"],"_cs_severities":["high"],"_cs_tags":["ssti","litellm","template-injection","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in LiteLLM versions 1.80.5 up to, but not including, 1.83.7. This flaw resides within the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, which processes user-supplied prompt templates. Due to insufficient input sanitization, a malicious actor with a valid proxy API key can inject arbitrary code into the template, leading to its execution within the LiteLLM Proxy process. This vulnerability was disclosed on April 24, 2026. Successful exploitation can compromise the proxy\u0026rsquo;s environment, potentially exposing sensitive credentials like provider API keys and database passwords, or allowing arbitrary command execution on the host system. Organizations using affected versions of LiteLLM are at risk. The vulnerability is addressed in version 1.83.7-stable by implementing a sandboxed template renderer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the LiteLLM proxy server using a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt template containing SSTI payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, including the crafted template in the request body.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy server receives the request and processes the template without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe SSTI payload executes arbitrary code within the LiteLLM proxy process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to environment variables containing sensitive information, such as API keys and database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed credentials to gain unauthorized access to external services or data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSTI vulnerability allows attackers to execute arbitrary code within the LiteLLM Proxy process. This can lead to the exposure of sensitive information such as API keys and database credentials, potentially enabling unauthorized access to other systems and data. Furthermore, attackers can execute arbitrary commands on the host, leading to full system compromise. The impact is significant for organizations relying on LiteLLM for managing and routing AI model requests, as it could result in data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version \u003ccode\u003e1.83.7-stable\u003c/code\u003e or later to patch the vulnerability, as this version implements a sandboxed template renderer (see Patches).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block \u003ccode\u003ePOST /prompts/test\u003c/code\u003e at your reverse proxy or API gateway to prevent exploitation attempts (see Workarounds).\u003c/li\u003e\n\u003cli\u003eReview and rotate API keys that should not have access to prompt management routes to limit the potential impact of compromised keys (see Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM SSTI Attempts via /prompts/test\u0026rdquo; to your SIEM to identify potential exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-05T12:00:00Z","date_published":"2024-11-05T12:00:00Z","id":"/briefs/2024-11-litellm-ssti/","summary":"A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.","title":"LiteLLM Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["litellm"],"_cs_severities":["high"],"_cs_tags":["rce","litellm","command-injection"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eLiteLLM versions 1.74.2 through 1.83.6 are vulnerable to authenticated command execution. Two endpoints, \u003ccode\u003ePOST /mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003ePOST /mcp-rest/test/tools/list\u003c/code\u003e, intended for previewing MCP server configurations, allowed any authenticated user to execute arbitrary commands on the proxy host. This was possible because the endpoints accepted a full server configuration in the request body, including the \u003ccode\u003ecommand\u003c/code\u003e, \u003ccode\u003eargs\u003c/code\u003e, and \u003ccode\u003eenv\u003c/code\u003e fields used by the stdio transport, without proper role checks. An attacker could exploit this vulnerability by using a low-privilege API key to send a crafted request containing malicious commands, leading to command execution with the privileges of the proxy process. The vulnerability was patched in version 1.83.7 by enforcing the \u003ccode\u003ePROXY_ADMIN\u003c/code\u003e role for these endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the LiteLLM proxy with a valid, but low-privilege, API key.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious JSON payload containing a server configuration intended for the stdio transport. The payload includes the \u003ccode\u003ecommand\u003c/code\u003e, \u003ccode\u003eargs\u003c/code\u003e, and \u003ccode\u003eenv\u003c/code\u003e fields, which specify the command to be executed, its arguments, and environment variables, respectively.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to either the \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e or \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoint, with the malicious JSON payload in the request body.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy receives the request and, due to the vulnerability, attempts to connect to the supplied server configuration.\u003c/li\u003e\n\u003cli\u003eThe proxy spawns the supplied command as a subprocess on the proxy host, using the privileges of the proxy process.\u003c/li\u003e\n\u003cli\u003eThe attacker-supplied command executes arbitrary code on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the proxy host with the privileges of the LiteLLM proxy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host running the LiteLLM proxy. Since the vulnerability can be exploited with a low-privilege API key, this significantly broadens the attack surface. Depending on the privileges of the proxy process, this could lead to full system compromise, data exfiltration, or denial of service. The lack of specific victim count or sector targeting information in the advisory suggests a broad potential impact across various deployments of LiteLLM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.7 or later to remediate the vulnerability (see Patches).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block \u003ccode\u003ePOST\u003c/code\u003e requests to the \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoints at your reverse proxy or API gateway (see Workarounds).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoints, looking for suspicious \u003ccode\u003ecommand\u003c/code\u003e, \u003ccode\u003eargs\u003c/code\u003e, and \u003ccode\u003eenv\u003c/code\u003e parameters in the request body (see rules below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-litellm-rce/","summary":"Authenticated users with low-privilege API keys could execute arbitrary commands on the host running LiteLLM via the `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` endpoints, by submitting a server configuration including command execution parameters.","title":"LiteLLM Authenticated Command Execution via MCP stdio Test Endpoints","url":"https://feed.craftedsignal.io/briefs/2024-01-litellm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Litellm","version":"https://jsonfeed.org/version/1.1"}