CVE-2024-2952

Name of the Vulnerable Software and Affected Versions BerriAI/litellm (affected versions not specified)

Description The issue arises from the hf chat template method processing the chat template parameter from the tokenizer config.json file through the Jinja template engine without proper sanitization, allowing Server-Side Template Injection (SSTI) via the "/completions" endpoint. Attackers can exploit this by crafting malicious tokenizer config.json files that execute arbitrary code on the server.

Recommendations As a temporary workaround, consider disabling the hf chat template method until a patch is available. Restrict access to the "/completions" endpoint to minimize the risk of exploitation. Avoid using the chat template parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.