Medium Severity

litellm

Arbitrary File Deletion Vulnerability in Audio Transcription Endpoint

A vulnerability in the berriai/litellm software allows any user to delete arbitrary files on the server through the `/audio/transcriptions` endpoint. This issue affects the latest version of the software. There is no fixed version mentioned, indicating that the vulnerability may still be present.

Available publicly on Jun 03 2024

6.5

CVE:

CVE-2024-4888

CWE:

20:Improper Input Validation

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Credit:

codevigilanteofficial
AssessDetect

Premium

Remediate
Remediation Steps
  • Update the software to a version where the vulnerability is patched, if available.
  • If no patch is available, temporarily disable the /audio/transcriptions endpoint until a fix is implemented.
  • Implement proper input validation to ensure that file paths provided by users are within expected boundaries and do not reference critical system files.
  • Consider implementing additional security measures such as API rate limiting and logging to detect and mitigate potential abuse.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon