Cyber Resilience

CVE-2024-2952

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
15 July 2025
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0143 81.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2952 is a critical-severity Improper Neutralization of Equivalent Special Elements (CWE-76) vulnerability in Litellm Litellm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Discover AI Model Ontology (AML.T0013).

EU & UK References

Vulnerability details

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by…

more

crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

CWE(s)

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
BerriAI/litellm is a proxy server and SDK for unifying LLM APIs, handling /completions endpoints and processing HuggingFace tokenizer_config.json for chat templates.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

CVE-2024-2952 enables Server-Side Template Injection (SSTI) via the /completions endpoint by processing unsanitized chat_template from tokenizer_config.json through Jinja, allowing arbitrary code execution. Maps to T1221 (Template Injection) and T1190 (Exploit Public-Facing Application).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0013: Discover AI Model Ontology

Affected Assets

litellm
litellm
≤ 1.34.42

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References