BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the /completions
endpoint. The vulnerability arises from the hf_chat_template
method processing the chat_template
parameter from the tokenizer_config.json
file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious tokenizer_config.json
files that execute arbitrary code on the server.
{ "nvd_published_at": "2024-04-10T17:15:54Z", "cwe_ids": [ "CWE-76" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-10T22:18:53Z" }