CVE-2024-6825

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-6825
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6825.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-6825
Aliases
Published
2025-03-20T10:15:33.237Z
Modified
2026-04-10T05:51:53.709032Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'postcallrules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed.

References

Affected packages

Git / github.com/berriai/litellm

Affected ranges

Type
GIT
Repo
https://github.com/berriai/litellm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b8597d3de4808fddaa44881f6253220c41c45183
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
44c03a8d90a601da018a5de608a3e38d48180cee
Fixed
441c7275ed2715f47650a7c2e525055c804073a9
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.65.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.65.4-dev2"
        }
    ]
}

Affected versions

1.*
1.16.12
1.16.13
1.16.14
1.34.2
1.34.20-stable
1.34.28.dev3
1.34.35-stable
1.34.39.dev1
1.35.1.dev1
1.35.13.dev1
1.35.24.dev6
1.35.33.dev4
1.35.36.dev1
1.35.5.dev2
1.40.8.dev1
1.41.11.dev5
1.41.12.dev1
1.41.14.dev15
1.44.6
1.64.0.dev1
Other
latest
pr-litellm-spend-logs-db
stable
test
v.*
v.1.32.34-stable
v0.*
v0.1.387
v0.1.492
v0.1.574
v0.1.738
v0.11.1
v0.8.4
v1.*
v1.1.0
v1.10.4
v1.11.1
v1.15.0
v1.15.5
v1.16-test2
v1.16-test3
v1.16-test4
v1.16.13
v1.16.15
v1.16.16
v1.16.17
v1.16.17-test
v1.16.17-test2
v1.16.17-test3
v1.16.18
v1.16.19
v1.16.20
v1.16.20.dev1
v1.16.20.dev3
v1.16.21
v1.16.3
v1.16.6
v1.17.0
v1.17.1
v1.17.10
v1.17.12
v1.17.13
v1.17.14
v1.17.15
v1.17.16
v1.17.17
v1.17.18
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.17.9
v1.18.0
v1.18.1
v1.18.10
v1.18.11
v1.18.12
v1.18.13
v1.18.2
v1.18.4
v1.18.5
v1.18.6
v1.18.7
v1.18.8
v1.18.9
v1.19.0
v1.19.2
v1.19.3
v1.19.4
v1.19.6
v1.20.0
v1.20.1
v1.20.2
v1.20.3
v1.20.5
v1.20.6
v1.20.7
v1.20.8
v1.20.9
v1.21.0
v1.21.1
v1.21.4
v1.21.5
v1.21.6
v1.21.7
v1.22.10
v1.22.11
v1.22.2
v1.22.3
v1.22.5
v1.22.8
v1.22.9
v1.23.0
v1.23.1
v1.23.10
v1.23.12
v1.23.14
v1.23.15
v1.23.16
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.7
v1.23.8
v1.23.9
v1.24.1
v1.24.3
v1.24.5
v1.24.6
v1.25.0
v1.25.1
v1.25.2
v1.26.0
v1.26.1
v1.26.10
v1.26.11
v1.26.13
v1.26.2
v1.26.3
v1.26.4
v1.26.5
v1.26.6
v1.26.7
v1.26.8
v1.26.9
v1.27.1
v1.27.10
v1.27.14
v1.27.15
v1.27.4
v1.27.6
v1.27.7
v1.27.8
v1.27.9
v1.28.0
v1.28.1
v1.28.10
v1.28.11
v1.28.13
v1.28.2
v1.28.3
v1.28.4
v1.28.6
v1.28.7
v1.28.8
v1.28.9
v1.29.1
v1.29.3
v1.29.4
v1.29.5
v1.29.7
v1.30.0
v1.30.1
v1.30.2
v1.30.3
v1.30.4
v1.30.5
v1.30.6
v1.30.7
v1.31.10
v1.31.12
v1.31.12-dev
v1.31.12-dev1
v1.31.12-dev3
v1.31.13
v1.31.14
v1.31.15
v1.31.16
v1.31.17
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.31.7
v1.31.8
v1.31.9
v1.32.1
v1.32.3
v1.32.33-stable
v1.32.33.dev1
v1.32.4
v1.32.7
v1.32.7.dev1
v1.32.7.dev3
v1.32.7.dev5
v1.32.9
v1.33.0
v1.33.1
v1.33.2
v1.33.3
v1.33.4
v1.33.7
v1.33.8
v1.33.9
v1.34.0
v1.34.1
v1.34.10
v1.34.10.dev1
v1.34.12
v1.34.13
v1.34.14
v1.34.16
v1.34.17
v1.34.18
v1.34.19
v1.34.20
v1.34.21
v1.34.21-stable
v1.34.22
v1.34.22-stable
v1.34.22.dev15-stable
v1.34.23-stable
v1.34.25
v1.34.26
v1.34.27
v1.34.28
v1.34.28.dev12
v1.34.29
v1.34.3
v1.34.33
v1.34.34
v1.34.34.dev1
v1.34.35
v1.34.36
v1.34.36.dev2
v1.34.37
v1.34.37.dev1
v1.34.38
v1.34.39
v1.34.4
v1.34.4.dev1
v1.34.4.dev2
v1.34.40
v1.34.41
v1.34.42
v1.34.5
v1.34.6
v1.34.8
v1.34.8.dev1
v1.35.0
v1.35.1
v1.35.1.dev1
v1.35.1.dev2
v1.35.10
v1.35.11
v1.35.12
v1.35.13
v1.35.14
v1.35.15
v1.35.15-stable
v1.35.16
v1.35.17
v1.35.18
v1.35.19
v1.35.2
v1.35.20
v1.35.20.dev2
v1.35.21
v1.35.21-stable
v1.35.23
v1.35.24
v1.35.24.dev1
v1.35.25
v1.35.26
v1.35.26.dev1
v1.35.28
v1.35.28.dev1
v1.35.29
v1.35.3
v1.35.30
v1.35.31
v1.35.32
v1.35.32.dev1
v1.35.33
v1.35.33.dev1
v1.35.33.dev2
v1.35.33.dev3
v1.35.34
v1.35.35
v1.35.35.dev1
v1.35.36
v1.35.36-dev2
v1.35.37
v1.35.38
v1.35.38-stable
v1.35.4
v1.35.5
v1.35.6
v1.35.7
v1.35.8
v1.35.8.dev1
v1.36.0
v1.36.1
v1.36.2
v1.36.2-stable
v1.36.3
v1.36.4
v1.36.4-stable
v1.37.0
v1.37.0.dev_version_headers
v1.37.10
v1.37.11
v1.37.12
v1.37.12-stable
v1.37.12.dev1
v1.37.13
v1.37.13-stable
v1.37.14
v1.37.16
v1.37.16-stable
v1.37.17
v1.37.19
v1.37.19-stable
v1.37.2
v1.37.20
v1.37.20.dev1
v1.37.3
v1.37.3-stable
v1.37.5
v1.37.5-stable
v1.37.6
v1.37.7
v1.37.7-stable
v1.37.9
v1.37.9-stable
v1.38.0
v1.38.0-stable
v1.38.1
v1.38.10
v1.38.11
v1.38.12
v1.38.2
v1.38.3
v1.38.4
v1.38.4-stable
v1.38.5
v1.38.7
v1.38.7-stable
v1.38.8
v1.38.8-stable
v1.39.2
v1.39.3
v1.39.4
v1.39.5
v1.39.5-stable
v1.39.6
v1.40.0
v1.40.1
v1.40.1.dev2
v1.40.1.dev4
v1.40.10
v1.40.11
v1.40.12
v1.40.13
v1.40.14
v1.40.15
v1.40.16
v1.40.17
v1.40.19
v1.40.2
v1.40.2-stable
v1.40.20
v1.40.21
v1.40.22
v1.40.24
v1.40.25
v1.40.26
v1.40.27
v1.40.28
v1.40.29
v1.40.3
v1.40.3-stable
v1.40.31
v1.40.4
v1.40.5
v1.40.6
v1.40.7
v1.40.7.dev1
v1.40.8
v1.40.8-stable
v1.40.9
v1.40.9-stable
v1.41.0
v1.41.0-stable
v1.41.1
v1.41.11
v1.41.11.dev1
v1.41.12
v1.41.13
v1.41.14
v1.41.14.dev10
v1.41.14.dev8
v1.41.15
v1.41.17
v1.41.18
v1.41.19
v1.41.2
v1.41.2-stable
v1.41.20
v1.41.21
v1.41.22
v1.41.23
v1.41.23-stable
v1.41.24
v1.41.24.dev1
v1.41.25
v1.41.26
v1.41.26.dev1
v1.41.27
v1.41.28
v1.41.3
v1.41.3.dev2
v1.41.4
v1.41.4.dev1
v1.41.5
v1.41.5.dev1
v1.41.6
v1.41.6.dev1
v1.41.7
v1.41.8
v1.41.8.dev1
v1.41.8.dev2
v1.42.0
v1.42.0-stable
v1.42.1
v1.42.10
v1.42.10-stable
v1.42.11
v1.42.12
v1.42.2
v1.42.2-stable
v1.42.3
v1.42.3-stable
v1.42.4
v1.42.4-stable
v1.42.5
v1.42.5-dev1
v1.42.5-dev2
v1.42.5-stable
v1.42.6
v1.42.7
v1.42.7-stable
v1.42.8
v1.42.9
v1.42.9-stable
v1.42.9-stable-fix
v1.42.9.dev1
v1.43.0
v1.43.1
v1.43.1-dev1
v1.43.10
v1.43.10-stable
v1.43.12
v1.43.13
v1.43.13-stable
v1.43.15
v1.43.15-stable
v1.43.16
v1.43.16-stable
v1.43.17
v1.43.18
v1.43.18-stable
v1.43.19
v1.43.19-stable
v1.43.19.dev1
v1.43.19.dev2
v1.43.2
v1.43.3
v1.43.4
v1.43.4.dev5
v1.43.5
v1.43.5-stable
v1.43.6
v1.43.6-stable
v1.43.6.dev1
v1.43.7
v1.43.7-stable
v1.43.9
v1.44.1
v1.44.10
v1.44.10-stable
v1.44.11
v1.44.11-stable
v1.44.12
v1.44.12-stable
v1.44.13
v1.44.13-stable
v1.44.14
v1.44.14-stable
v1.44.15
v1.44.15-stable
v1.44.16
v1.44.16-stable
v1.44.17
v1.44.17-stable
v1.44.18
v1.44.18-stable
v1.44.19
v1.44.19-stable
v1.44.2
v1.44.21
v1.44.21-stable
v1.44.22
v1.44.22-stable
v1.44.23
v1.44.23-stable
v1.44.24
v1.44.25
v1.44.26
v1.44.27
v1.44.28
v1.44.3
v1.44.4
v1.44.4.dev2
v1.44.5
v1.44.6
v1.44.6-stable
v1.44.7
v1.44.8
v1.44.8-dev1
v1.44.9
v1.45.0
v1.46.0
v1.46.1
v1.46.2
v1.46.4
v1.46.5
v1.46.6
v1.46.7
v1.46.8
v1.47.0
v1.47.1
v1.47.2
v1.47.2.dev4
v1.48.0
v1.48.1
v1.48.10
v1.48.11
v1.48.11-stable
v1.48.12
v1.48.14
v1.48.14-stable
v1.48.15
v1.48.16
v1.48.16-stable
v1.48.17
v1.48.17-stable
v1.48.18
v1.48.19
v1.48.19-stable
v1.48.2
v1.48.2.dev8
v1.48.3
v1.48.4
v1.48.4-stable
v1.48.5
v1.48.5-stable
v1.48.5.dev1
v1.48.6
v1.48.7
v1.48.7-stable
v1.48.8
v1.48.8-stable
v1.48.9
v1.48.9-stable
v1.49.0
v1.49.0-stable
v1.49.1
v1.49.2
v1.49.2-stable
v1.49.3
v1.49.3-stable
v1.49.4
v1.49.5
v1.49.6
v1.49.6-stable
v1.49.7
v1.49.7-stable
v1.50.0
v1.50.0-stable
v1.50.1
v1.50.1-stable
v1.50.2
v1.50.2-stable
v1.50.4
v1.50.4-stable
v1.51.0
v1.51.0-stable
v1.51.1
v1.51.1-stable
v1.51.2
v1.51.3
v1.51.3.dev10
v1.52.0
v1.52.0-stable
v1.52.1
v1.52.10
v1.52.11
v1.52.12
v1.52.14
v1.52.15
v1.52.16
v1.52.16.dev1
v1.52.2
v1.52.3
v1.52.4
v1.52.5
v1.52.6
v1.52.8
v1.52.9
v1.53.1
v1.53.2
v1.53.3
v1.53.4
v1.53.5
v1.53.6
v1.53.7
v1.53.7-stable
v1.53.7.dev4
v1.53.8
v1.53.9
v1.54.0
v1.54.1
v1.55.0
v1.55.1
v1.55.10
v1.55.11
v1.55.12
v1.55.2
v1.55.3
v1.55.4
v1.55.4-test-release
v1.55.4-test-release-2
v1.55.8
v1.55.9
v1.55.9-test
v1.55.9-test2
v1.56.10
v1.56.2
v1.56.3
v1.56.4
v1.56.5
v1.56.6
v1.56.8
v1.56.9
v1.57.0
v1.57.1
v1.57.10
v1.57.11
v1.57.2
v1.57.3
v1.57.4
v1.57.5
v1.57.7
v1.57.8
v1.58.0
v1.58.1
v1.58.2
v1.58.4
v1.59.0
v1.59.1
v1.59.10
v1.59.2
v1.59.3
v1.59.5
v1.59.6
v1.59.7
v1.59.8
v1.59.9
v1.60.0
v1.60.0.dev2
v1.60.0.dev4
v1.60.2
v1.60.2-dev1
v1.60.4
v1.60.5
v1.60.6
v1.60.8
v1.61.0
v1.61.1
v1.61.11-nightly
v1.61.13-nightly
v1.61.13.rc
v1.61.15-nightly
v1.61.16-nightly
v1.61.17-nightly
v1.61.19-nightly
v1.61.2-nightly
v1.61.20-nightly
v1.61.20.rc
v1.61.3
v1.61.3-nightly
v1.61.3.dev1
v1.61.4-nightly
v1.61.5-nightly
v1.61.6-nightly
v1.61.7
v1.61.7-nightly
v1.61.7.dev1
v1.61.8-nightly
v1.61.9-nightly
v1.62.1-nightly
v1.62.4-nightly
v1.63.0-nightly
v1.63.11-nightly
v1.63.11-stable
v1.63.12-nightly
v1.63.14-nightly
v1.63.14.rc
v1.63.2-nightly
v1.63.3-nightly
v1.63.5-nightly
v1.63.6-nightly
v1.63.6.dev1
v1.63.7-nightly
v1.63.8-nightly
v1.64.1-nightly
v1.65.0-nightly
v1.65.0.rc
v1.65.1-nightly
v1.65.2.dev1
v1.65.3-nightly
v1.65.4-nightly
v1.65.4.dev2
v1.7.1
v1.7.11

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6825.json"