Remote Code Execution in BerriAI/litellm
Description
BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LiteLLM 1.40.12 allows remote code execution via callback import from dangerous modules in post_call_rules.
BerriAI/litellm version 1.40.12 contains a remote code execution vulnerability in the handling of the post_call_rules configuration [1][2]. The issue is that when a callback function is specified, the implementation splits the provided value at the final '.' character, treating the last part as the function name and importing the remainder as a module [2]. No validation is performed on the module name, allowing an attacker to specify dangerous Python modules such as os [2].
An attacker who can modify the post_call_rules configuration can set a system method like os.system as the callback [2]. When a chat response is processed, the callback is invoked, executing arbitrary commands with the privileges of the LiteLLM process [2]. The attack does not require authentication if the attacker has access to the configuration, which is a separate prerequisite [2].
Successful exploitation grants the attacker arbitrary command execution on the server hosting the LiteLLM proxy [2]. This can lead to full server compromise, data exfiltration, or further lateral movement within the network [2].
The vulnerability was addressed in a subsequent commit that added a security_checks function to block importing from a hardcoded list of dangerous modules, including os, sys, subprocess, shutil, and others [3]. Users should update to a patched version of litellm [3].
- GitHub - BerriAI/litellm: Python SDK, Proxy Server (AI Gateway) to call 100+ LLM APIs in OpenAI (or native) format, with cost tracking, guardrails, loadbalancing and logging. [Bedrock, Azure, OpenAI, VertexAI, Cohere, Anthropic, Sagemaker, HuggingFace, VLLM, NVIDIA NIM]
- NVD - CVE-2024-6825
- test fix post call rules (#9826) · BerriAI/litellm@441c727
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
litellmPyPI | >= 1.40.3.dev2, <= 1.40.12 | — |
Affected products
3- berriai/berriai/litellmv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-53gh-p8jc-7rg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6825ghsaADVISORY
- github.com/BerriAI/litellm/blob/056913fd7049923a106130b02d7c29e7f312beec/litellm/utils.pyghsaWEB
- github.com/berriai/litellm/commit/441c7275ed2715f47650a7c2e525055c804073a9ghsaWEB
- huntr.com/bounties/1d98bebb-6cf4-46c9-87c3-d3b1972973b5ghsaWEB
News mentions
0No linked articles in our index yet.