CVE-2024-4264

Description

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`.

How to fix CVE-2024-4264

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2024-4264 being exploited?

Low — EPSS is 3.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 1.28.11

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-4264
• PATCHgithub.com/BerriAI/litellm
• WEBgithub.com/BerriAI/litellm/blob/main/litellm/proxy/proxy_server.py#L2104-L2108
• WEBgithub.com/BerriAI/litellm/blob/main/litellm/proxy/proxy_server.py#L2118