VYPR
← All advisories
High severityNVD Advisory· Published Jun 6, 2024· Updated Nov 3, 2024

Arbitrary File Deletion in BerriAI/litellm

CVE-2024-4888

Description

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the /audio/transcriptions endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where os.remove(file.filename) is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

LiteLLM's /audio/transcriptions endpoint allows arbitrary file deletion via unsanitized user-supplied file paths, risking loss of critical server data.

Root

Cause

CVE-2024-4888 affects BerriAI's LiteLLM AI Gateway. The vulnerability resides in the /audio/transcriptions endpoint, where improper input validation allows an attacker to supply an arbitrary file path that is passed directly to the os.remove(file.filename) call. This means any user of the API can specify a path to a file on the server's filesystem, and the server will delete it without verifying authorization or the file's purpose [1][3].

Exploitation

An attacker can exploit this flaw by sending a crafted HTTP request to the /audio/transcriptions endpoint, including a file path (e.g., ../../etc/ssh/ssh_host_rsa_key) that points to a sensitive resource. The endpoint does not require any special authentication beyond normal API access, making it accessible to any valid user of the LiteLLM proxy server. The fix, implemented in pull request #3193, introduces validation to restrict which paths can be used in this operation [2].

Impact

Successful exploitation allows unauthenticated (or low-privilege) users to delete critical files such as SSH keys, SQLite databases, configuration files, or any other file the server process has permission to remove. This can lead to denial of service (e.g., database loss), privilege escalation (e.g., removing SSH keys to lock out administrators), or complete compromise of the server's integrity [3][4].

Mitigation

A security fix has been merged via pull request #3193 in the official LiteLLM repository. Users are strongly advised to update to the latest patched version immediately. No workaround is available beyond restricting network access to the endpoint until the update is applied [2][4].

References
  1. GitHub - BerriAI/litellm: Python SDK, Proxy Server (AI Gateway) to call 100+ LLM APIs in OpenAI (or native) format, with cost tracking, guardrails, loadbalancing and logging. [Bedrock, Azure, OpenAI, VertexAI, Cohere, Anthropic, Sagemaker, HuggingFace, VLLM, NVIDIA NIM]
  2. [Fix] - `/audio/transcriptions` security fix by ishaan-jaff · Pull Request #3193 · BerriAI/litellm
  3. NVD - CVE-2024-4888
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
litellmPyPI
< 1.35.361.35.36

Affected products

2
  • ghsa-coords
    pkg:pypi/litellm
    Range: < 1.35.36
  • berriai/berriai/litellmv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.