LiteLLM Vulnérable à l'Exécution Arbitraire de Code (RCE)
Plateforme
python
Composant
litellm
Corrigé dans
v1.65.4.dev6
1.40.13
CVE-2024-6825 is a Remote Code Execution (RCE) vulnerability affecting versions of the litellm Python library up to 1.40.12. This flaw allows attackers to execute arbitrary commands on a system by manipulating the 'postcallrules' configuration. A fix is available in version v1.65.4.dev6, and users are strongly encouraged to upgrade immediately.
Détecte cette CVE dans ton projet
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.
Impact et Scénarios d'Attaquetraduction en cours…
The vulnerability lies in the way litellm handles the 'postcallrules' configuration, which allows users to define callback functions to be executed after a chat response is processed. An attacker can exploit this by injecting a malicious callback function name. The library splits the provided value at the final '.' mark, treating the last part as the function name and appending '.py'. This allows an attacker to specify a system method, such as 'os.system', as the callback, effectively enabling arbitrary command execution when a chat response is processed. The potential impact is severe, as an attacker could gain complete control over the system running the litellm library, leading to data breaches, system compromise, and further malicious activity.
Contexte d'Exploitationtraduction en cours…
CVE-2024-6825 was published on 2025-03-20. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. While no active exploitation campaigns have been confirmed, the ease of exploitation makes this a high-priority vulnerability to address.
Qui Est à Risquetraduction en cours…
Organizations using litellm for LLM application development and deployment are at risk, particularly those relying on user-configurable 'postcallrules' for custom logic. Environments where litellm is integrated with sensitive data or critical infrastructure are especially vulnerable.
Étapes de Détectiontraduction en cours…
• python / supply-chain:
import os
import subprocess
# Check for suspicious post_call_rules configurations
# This is a simplified example and may need adjustments
with open('/path/to/litellm_config.py', 'r') as f:
config_content = f.read()
if 'os.system' in config_content:
print('Potential CVE-2024-6825 exploitation attempt detected!')• linux / server:
# Monitor for suspicious processes spawned by litellm
ps aux | grep -i litellm | grep -i 'os.system'• generic web: Inspect the litellm configuration files for any unusual or unexpected callback functions in the 'postcallrules' setting.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
1.35% (percentile 80%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-6825 is to upgrade to version v1.65.4.dev6 or later. If upgrading immediately is not feasible, consider temporarily disabling the 'postcallrules' configuration to prevent the vulnerability from being exploited. Review existing 'postcallrules' configurations for any suspicious or unexpected function names. Implement input validation and sanitization on any user-provided data used in the 'postcallrules' configuration to prevent malicious code injection. Monitor system logs for any unusual activity or command executions related to litellm.
Comment corrigertraduction en cours…
Actualice la biblioteca litellm a la versión 1.65.4.dev6 o superior. Esto corrige la vulnerabilidad de ejecución remota de código al validar correctamente las funciones de callback configuradas en 'post_call_rules'. Asegúrese de verificar la integridad de la nueva versión después de la actualización.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-6825 — RCE in litellm?
CVE-2024-6825 is a Remote Code Execution vulnerability in litellm versions up to 1.40.12, allowing attackers to execute arbitrary commands through the 'postcallrules' configuration.
Am I affected by CVE-2024-6825 in litellm?
You are affected if you are using litellm version 1.40.12 or earlier. Check your version and upgrade immediately.
How do I fix CVE-2024-6825 in litellm?
Upgrade to version v1.65.4.dev6 or later. As a temporary workaround, disable the 'postcallrules' configuration.
Is CVE-2024-6825 being actively exploited?
No active exploitation campaigns have been confirmed, but the vulnerability's ease of exploitation warrants immediate attention and mitigation.
Where can I find the official litellm advisory for CVE-2024-6825?
Refer to the litellm project's official security advisories and release notes on their GitHub repository for the latest information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.