CVE-2024-5751

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-5751
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5751.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-5751
Aliases
Published
2024-06-27T19:15:16Z
Modified
2025-02-19T03:23:40.881633Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the add_deployment function, which decodes and decrypts environment variables from base64 and assigns them to os.environ. An attacker can exploit this by sending a malicious payload to the /config/update endpoint, which is then processed and executed by the server when the get_secret function is triggered. This requires the server to use Google KMS and a database to store a model.

References

Affected packages

Git / github.com/berriai/litellm

Affected ranges

Type
GIT
Repo
https://github.com/berriai/litellm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

1.*

1.16.12
1.16.13
1.16.14
1.34.2
1.34.20-stable
1.34.28.dev3
1.34.35-stable
1.34.39.dev1
1.34.40.dev1
1.35.1.dev1
1.35.5.dev2

Other

latest
pr-litellm-spend-logs-db
stable
test

v.*

v.1.32.34-stable

v0.*

v0.1.387
v0.1.492
v0.1.574
v0.1.738
v0.11.1
v0.8.4

v1.*

v1.1.0
v1.10.4
v1.11.1
v1.15.0
v1.15.5
v1.16-test2
v1.16-test3
v1.16-test4
v1.16.13
v1.16.15
v1.16.16
v1.16.17
v1.16.17-test
v1.16.17-test2
v1.16.17-test3
v1.16.18
v1.16.19
v1.16.20
v1.16.20.dev1
v1.16.20.dev3
v1.16.21
v1.16.3
v1.16.6
v1.17.0
v1.17.1
v1.17.10
v1.17.12
v1.17.13
v1.17.14
v1.17.15
v1.17.16
v1.17.17
v1.17.18
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.17.9
v1.18.0
v1.18.1
v1.18.10
v1.18.11
v1.18.12
v1.18.13
v1.18.2
v1.18.3
v1.18.4
v1.18.5
v1.18.6
v1.18.7
v1.18.8
v1.18.9
v1.19.0
v1.19.2
v1.19.3
v1.19.4
v1.19.6
v1.20.0
v1.20.1
v1.20.2
v1.20.3
v1.20.5
v1.20.6
v1.20.7
v1.20.8
v1.20.9
v1.21.0
v1.21.1
v1.21.4
v1.21.5
v1.21.6
v1.21.7
v1.22.10
v1.22.11
v1.22.2
v1.22.3
v1.22.5
v1.22.8
v1.22.9
v1.23.0
v1.23.1
v1.23.10
v1.23.12
v1.23.14
v1.23.15
v1.23.16
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.7
v1.23.8
v1.23.9
v1.24.1
v1.24.3
v1.24.5
v1.24.6
v1.25.0
v1.25.1
v1.25.2
v1.26.0
v1.26.1
v1.26.10
v1.26.11
v1.26.13
v1.26.2
v1.26.3
v1.26.4
v1.26.5
v1.26.6
v1.26.7
v1.26.8
v1.26.9
v1.27.1
v1.27.10
v1.27.14
v1.27.15
v1.27.4
v1.27.6
v1.27.7
v1.27.8
v1.27.9
v1.28.0
v1.28.1
v1.28.10
v1.28.11
v1.28.13
v1.28.2
v1.28.3
v1.28.4
v1.28.6
v1.28.7
v1.28.8
v1.28.9
v1.29.1
v1.29.3
v1.29.4
v1.29.5
v1.29.7
v1.30.0
v1.30.1
v1.30.2
v1.30.3
v1.30.4
v1.30.5
v1.30.6
v1.30.7
v1.31.10
v1.31.12
v1.31.12-dev
v1.31.12-dev1
v1.31.12-dev3
v1.31.13
v1.31.14
v1.31.15
v1.31.16
v1.31.17
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.31.7
v1.31.8
v1.31.9
v1.32.1
v1.32.3
v1.32.33-stable
v1.32.33.dev1
v1.32.4
v1.32.7
v1.32.7.dev1
v1.32.7.dev3
v1.32.7.dev5
v1.32.9
v1.33.0
v1.33.1
v1.33.2
v1.33.3
v1.33.4
v1.33.7
v1.33.8
v1.33.9
v1.34.0
v1.34.1
v1.34.10
v1.34.10.dev1
v1.34.12
v1.34.13
v1.34.14
v1.34.16
v1.34.17
v1.34.18
v1.34.19
v1.34.20
v1.34.21
v1.34.21-stable
v1.34.22
v1.34.22-stable
v1.34.22.dev15-stable
v1.34.23-stable
v1.34.25
v1.34.26
v1.34.27
v1.34.28
v1.34.28.dev12
v1.34.29
v1.34.3
v1.34.33
v1.34.34
v1.34.34.dev1
v1.34.35
v1.34.36
v1.34.36.dev2
v1.34.37
v1.34.37.dev1
v1.34.38
v1.34.39
v1.34.4
v1.34.4.dev1
v1.34.4.dev2
v1.34.40
v1.34.41
v1.34.42
v1.34.5
v1.34.6
v1.34.8
v1.34.8.dev1
v1.35.0
v1.35.1
v1.35.1.dev1
v1.35.1.dev2
v1.35.2
v1.35.2.dev4
v1.35.3
v1.35.4
v1.35.5
v1.35.6
v1.35.7
v1.35.8
v1.7.1
v1.7.11