CVE-2024-4264

Name of the Vulnerable Software and Affected Versions berriai/litellm (affected versions not specified)

Description A remote code execution issue exists due to improper control of code generation when using the eval function unsafely in the litellm.get secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function without sanitization. Attackers can exploit this by injecting malicious values into environment variables through the "/config/update" endpoint, which updates settings in proxy server config.yaml.

Recommendations As a temporary workaround, consider disabling the litellm.get secret() method until a patch is available. Restrict access to the "/config/update" endpoint to minimize the risk of exploitation. Avoid using the eval function with untrusted data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.