We use cookies to improve your experience on our site.
AVID-2026-R1523
Description
Remote Code Execution in berriai/litellm (CVE-2024-4264)
Details
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the /config/update endpoint, which allows for the update of settings in proxy_server_config.yaml.
Reason for inclusion in AVID: CVE-2024-4264 describes a remote code execution vulnerability in berriai/litellm caused by unsafe eval usage when handling data in server config, enabling exploitation in AI software stacks that rely on litellm. This is a software supply chain issue affecting AI frameworks/tools and can impact general-purpose AI deployment pipelines.
References
Affected or Relevant Artifacts
- Developer: berriai
- Deployer: berriai
- Artifact Details:
| Type | Name |
|---|---|
| System | berriai/litellm |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 9.8 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-05-18
- Version: 0.3.3
- AVID Entry