Server-Side Template Injection in BerriAI/litellm
Description
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the /completions endpoint. The vulnerability arises from the hf_chat_template method processing the chat_template parameter from the tokenizer_config.json file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious tokenizer_config.json files that execute arbitrary code on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BerriAI/litellm SSTI via /completions endpoint due to unsanitized Jinja template processing in hf_chat_template.
CVE-2024-2952 is a Server-Side Template Injection (SSTI) vulnerability found in BerriAI/litellm, an open-source AI Gateway that provides a unified API for over 100 large language models [1]. The flaw resides in the /completions endpoint, specifically within the hf_chat_template method. This method processes the chat_template parameter from a Hugging Face model's tokenizer_config.json file through the Jinja template engine without proper sanitization of user-controlled input [2][3].
An attacker can exploit this vulnerability by crafting a malicious tokenizer_config.json file that contains Jinja template directives. Because the template is rendered server-side using Jinja2's Environment class (which allows arbitrary code execution by default), the attacker can inject expressions that execute arbitrary Python code on the litellm server [2][4]. The attack requires the ability to influence the chat_template value, which can occur when an application allows users to specify a model or tokenizer configuration from external sources.
Successful exploitation grants the attacker arbitrary code execution on the server running litellm. This could lead to full system compromise, including data exfiltration, lateral movement within the environment, or disruption of the AI gateway service. The vulnerability is classified as critical due to the high impact of remote code execution without authentication [2].
The vulnerability was addressed in a commit referenced as 8a1cdc9, which replaced the standard Jinja2 Environment with an ImmutableSandboxedEnvironment and used a BaseLoader to restrict template features [4]. Users are strongly advised to update to the patched version immediately. No known public exploits have been reported at the time of publication, but the technical details are publicly available.
- GitHub - BerriAI/litellm: Python SDK, Proxy Server (AI Gateway) to call 100+ LLM APIs in OpenAI (or native) format, with cost tracking, guardrails, loadbalancing and logging. [Bedrock, Azure, OpenAI, VertexAI, Cohere, Anthropic, Sagemaker, HuggingFace, VLLM, NVIDIA NIM]
- NVD - CVE-2024-2952
- litellm/litellm/proxy/proxy_server.py at 0d803e13798db40aa7463e64a6bafaee386424f5 · BerriAI/litellm
- Merge pull request #2941 from BerriAI/litellm_fix_sec_report · BerriAI/litellm@8a1cdc9
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
litellmPyPI | < 1.34.42 | 1.34.42 |
Affected products
2- berriai/berriai/litellmv5Range: unspecified
Patches
18a1cdc901708Merge pull request #2941 from BerriAI/litellm_fix_sec_report
1 file changed · +11 −7
litellm/llms/prompt_templates/factory.py+11 −7 modified@@ -1,7 +1,8 @@ from enum import Enum import requests, traceback import json, re, xml.etree.ElementTree as ET -from jinja2 import Template, exceptions, Environment, meta +from jinja2 import Template, exceptions, meta, BaseLoader +from jinja2.sandbox import ImmutableSandboxedEnvironment from typing import Optional, Any import imghdr, base64 from typing import List @@ -219,6 +220,15 @@ def phind_codellama_pt(messages): def hf_chat_template(model: str, messages: list, chat_template: Optional[Any] = None): + # Define Jinja2 environment + env = ImmutableSandboxedEnvironment() + + def raise_exception(message): + raise Exception(f"Error message - {message}") + + # Create a template object from the template text + env.globals["raise_exception"] = raise_exception + ## get the tokenizer config from huggingface bos_token = "" eos_token = "" @@ -249,12 +259,6 @@ def _get_tokenizer_config(hf_model_name): eos_token = tokenizer_config["eos_token"] chat_template = tokenizer_config["chat_template"] - def raise_exception(message): - raise Exception(f"Error message - {message}") - - # Create a template object from the template text - env = Environment() - env.globals["raise_exception"] = raise_exception try: template = env.from_string(chat_template) except Exception as e:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-46cm-pfwv-cgf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-2952ghsaADVISORY
- github.com/BerriAI/litellm/blob/0d803e13798db40aa7463e64a6bafaee386424f5/litellm/proxy/proxy_server.pyghsaWEB
- github.com/BerriAI/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3ghsaWEB
- github.com/BerriAI/litellm/issues/2949ghsaWEB
- github.com/BerriAI/litellm/pull/2941ghsaWEB
- huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4ghsaWEB
- github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3mitre
News mentions
0No linked articles in our index yet.