Remote Code Execution in BerriAI/litellm
Description
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the add_deployment function, which decodes and decrypts environment variables from base64 and assigns them to os.environ. An attacker can exploit this by sending a malicious payload to the /config/update endpoint, which is then processed and executed by the server when the get_secret function is triggered. This requires the server to use Google KMS and a database to store a model.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RCE in BerriAI/litellm <=v1.35.8 via base64-decrypted env vars in its `/config/update` endpoint.
Root
Cause BerriAI/litellm version 1.35.8 contains a remote code execution (RCE) vulnerability in the add_deployment function [3]. The function decodes base64-encoded environment variables and assigns them to os.environ. In the get_secret function, after base64 decoding, the code used eval() on the decrypted ciphertext when the result was not bytes [3][4]. This allowed arbitrary code execution if an attacker could control the encrypted secret.
Attack
Vector An attacker can send a crafted payload to the /config/update endpoint [3]. Exploitation requires the server to use Google KMS for decryption and a database to store a model [3]. The malicious payload is processed when get_secret is triggered, and the eval() call executes the attacker-controlled input.
Impact
Successful exploitation yields remote code execution on the server, giving the attacker full control over the LiteLLM proxy server [3].
Mitigation
The vulnerability was patched in commit fcea4c22ad96b24436f196ae709f71932e84b0b8 [2][4]. The fix removes the eval() call and raises a ValueError if the decrypted secret is not bytes [4]. Users should upgrade to a patched version.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
litellmPyPI | < 1.40.16 | 1.40.16 |
Affected products
2- berriai/berriai/litellmv5Range: unspecified
Patches
1fcea4c22ad96Merge pull request #4228 from CodeVigilanteOfficial/fix_rce_eval
1 file changed · +4 −7
litellm/utils.py+4 −7 modified@@ -7182,14 +7182,11 @@ def get_secret( b64_flag = _is_base64(encrypted_secret) if b64_flag == True: # if passed in as encoded b64 string encrypted_secret = base64.b64decode(encrypted_secret) - if not isinstance(encrypted_secret, bytes): - # If it's not, assume it's a string and encode it to bytes - ciphertext = eval( - encrypted_secret.encode() - ) # assuming encrypted_secret is something like - b'\n$\x00D\xac\xb4/t)07\xe5\xf6..' - else: ciphertext = encrypted_secret - + else: + raise ValueError( + f"Google KMS requires the encrypted secret to be encoded in base64" + )#fix for this vulnerability https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce response = client.decrypt( request={ "name": litellm._google_kms_resource_name,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.