Highjaydns

**Name of the Vulnerable Software and Affected Versions** LiteLLM versions 1.74.2 through 1.83.6 **Description** LiteLLM is a proxy server (AI Gateway) used to call LLM APIs in OpenAI or native format. The endpoints 'POST /mcp-rest/test/connection' and 'POST /mcp-rest/test/tools/list', used to preview an MCP server, accept a full server configuration in the request body. This includes the `command`, `args`, and `env` variables used by the stdio transport. When a stdio configuration is provided, the endpoints spawn the supplied command as a subprocess on the proxy host with the privileges of the proxy process. Because these endpoints only require a valid proxy API key and lack role checks, any authenticated user, including those with low-privilege internal-user keys, can execute arbitrary commands on the host. This issue has been actively exploited in the wild. **Recommendations** Update to version 1.83.7. As a temporary workaround, block the 'POST /mcp-rest/test/connection' and 'POST /mcp-rest/test/tools/list' endpoints at the reverse proxy or API gateway.

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.0 Description LiteLLM is a proxy server for LLM APIs. The `/config/update` API endpoint did not enforce admin role authorization, allowing authenticated users to modify proxy configurations and environment variables. This could lead to remote code execution by registering custom pass-through endpoint handlers pointing to attacker-controlled Python code, reading arbitrary server files via the `/get image` endpoint by manipulating the `UI LOGO PATH` variable, and taking over privileged accounts by overwriting the `UI USERNAME` and `UI PASSWORD` environment variables. The endpoint now requires the `proxy admin` role. Recommendations Update to version 1.83.0 or later.