The core of the vulnerability lies in the litellm.get_secret() function, which unsafely evaluates environment variables using the eval function without proper sanitization or filtering. This flaw is particularly dangerous because it can be exploited by manipulating the server's environment variables through a publicly accessible endpoint (/config/update). By sending a crafted request to this endpoint, an attacker can inject malicious code into an environment variable, which litellm.get_secret() subsequently executes, leading to Remote Code Execution.

An attacker first identifies the publicly accessible endpoint /config/update and crafts a request that includes malicious code as the value for an environment variable (e.g., REDIS_HOST). Upon processing this request, the server updates its environment variables accordingly. When the litellm.get_secret() function is later invoked to retrieve the value of the compromised environment variable, the malicious code is executed, achieving Remote Code Execution.

Any deployments of the litellm library version 1.28.11 that utilize the Google KMS for key management and have the /config/update endpoint accessible are vulnerable to this attack. This includes servers and applications that rely on litellm for managing secrets and configurations, potentially leading to unauthorized access and control by attackers.