CVE-2024-4264

Advisory

Affected versions of berriai/litellm contains a Remote Code Execution (RCE) vulnerability (CWE-94) in the secret management system, particularly when using Google KMS. The litellm.get_secret() method used the eval() function unsafely on unsanitized input from environment variables, which could be manipulated through the /config/update endpoint. This allowed attackers to inject and execute arbitrary code by updating settings in proxy_server_config.yaml. The vulnerability has been addressed by replacing the unsafe eval() call with a secure client.decrypt() method for handling encrypted data.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/BerriAI/litellm/blob/0268877f2874a85147b4d38090123008bcfb6b64/litellm/secret_managers/main.py#L175
• https://github.com/advisories/GHSA-7ggm-4rjg-594w
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4264