GHSA-wxxx-gvqv-xp7p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wxxx-gvqv-xp7p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wxxx-gvqv-xp7p/GHSA-wxxx-gvqv-xp7p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wxxx-gvqv-xp7p
- Aliases
-
- CVE-2026-40217
- Downstream
- Published
- 2026-05-11T16:17:23Z
- Modified
- 2026-05-11T16:37:33.396331Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- LiteLLM has a sandbox escape in custom-code guardrail
- Details
-
Impact
The
POST /guardrails/test_custom_codeendpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.Reaching the endpoint requires a proxy-admin credential in default configurations.
Patches
Fixed in
1.83.11. The hand-rolled sandbox has been replaced withRestrictedPython. Upgrade to1.83.11or later.Workarounds
If upgrading is not immediately possible, block
POST /guardrails/test_custom_codeat your reverse proxy or API gateway.References
- Patched release:
v1.83.10-stable
- Patched release:
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-420", "CWE-913" ], "github_reviewed": true, "github_reviewed_at": "2026-05-11T16:17:23Z", "nvd_published_at": null }- References
Affected packages
PyPI / litellm
Package
- Name
- litellm
- View open source insights on deps.dev
- Purl
- pkg:pypi/litellm