Server-Side Template Injection (SSTI) Vulnerability in BerriAI/litellm
CVE-2024-2952

9.8CRITICAL

Key Information:

Vendor: Berriai
Status: Berriai/litellm
Vendor: CVE Published:; 10 April 2024

What is CVE-2024-2952?

BerriAI's Litellm product is compromised by a vulnerability allowing Server-Side Template Injection (SSTI) through the /completions endpoint. The issue stems from the hf_chat_template method inadequately processing the chat_template parameter originating from the tokenizer_config.json file. This lack of proper sanitization enables attackers to craft malicious tokenizer_config.json files that can execute arbitrary code on the server. Without stringent checks and validation, the exploitation poses significant security risks, allowing for unauthorized commands to be run with the privileges of the server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

berriai/litellm < 1.34.42

References

https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb5...

https://github.com/berriai/litellm/commit/8a1cdc901708b07...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Mar 26, 2024

JSON

Berriai

What is CVE-2024-2952?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.