Critical

litellm

Unsafe Eval Function Use Leading to Remote Code Execution in Configuration Update

A vulnerability in the `litellm` library allows for Remote Code Execution (RCE) due to unsafe usage of the `eval` function when handling untrusted data from environment variables. This issue affects version 1.28.11 and was patched in the subsequent release. The vulnerability specifically impacts the `litellm.get_secret()` function when the server utilizes Google KMS, allowing attackers to execute arbitrary code.

Available publicly on May 18 2024

9.8

CVE:

CVE-2024-4264

CWE:

94:Improper Control of Generation of Code

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

trongphuc12
AssessDetect

Premium

Remediate
Remediation Steps
  • Update litellm to the latest version immediately to patch the vulnerability.
  • Review and restrict access to the /config/update endpoint to prevent unauthorized configuration changes.
  • Implement input validation and sanitization for all data that is executed or evaluated, especially when dealing with environment variables.
  • Regularly audit and monitor environment variables and configuration settings for unexpected or malicious changes.
  • Consider using safer alternatives to the eval function for dynamic code execution, such as ast.literal_eval where appropriate, to minimize security risks.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.