VYPR
High severityNVD Advisory· Published Jun 6, 2024· Updated Nov 3, 2024

Arbitrary File Deletion in BerriAI/litellm

CVE-2024-4888

Description

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the /audio/transcriptions endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where os.remove(file.filename) is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
litellmPyPI
< 1.35.361.35.36

Affected products

2
  • ghsa-coords
    Range: < 1.35.36
  • berriai/berriai/litellmv5
    Range: unspecified

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.