CVE-2024-4889

Name of the Vulnerable Software and Affected Versions berriai/litellm version 1.34.6

Description A code injection issue exists due to the use of unvalidated input in the eval function within the secret management system. This issue requires a valid Google KMS configuration file to be exploitable. By setting the UI LOGO PATH variable to a remote server address in the get image function, an attacker can write a malicious Google KMS configuration file to the cached logo.jpg file. This file can then be used to execute arbitrary code by assigning malicious code to the SAVE CONFIG TO DB environment variable, leading to full system control. The issue is contingent upon the use of the Google KMS feature.

Recommendations For version 1.34.6, as a temporary workaround, consider disabling the Google KMS feature until a patch is available. Restrict access to the get image function and avoid using the UI LOGO PATH variable to minimize the risk of exploitation. Additionally, restrict modifications to the SAVE CONFIG TO DB environment variable to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this issue.