CVE-2024-2952
Published: 10 April 2024
Summary
CVE-2024-2952 is a critical-severity Improper Neutralization of Equivalent Special Elements (CWE-76) vulnerability in Litellm Litellm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Discover AI Model Ontology (AML.T0013).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1088
Vulnerability details
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by…
more
crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- BerriAI/litellm is a proxy server and SDK for unifying LLM APIs, handling /completions endpoints and processing HuggingFace tokenizer_config.json for chat templates.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-2952 enables Server-Side Template Injection (SSTI) via the /completions endpoint by processing unsanitized chat_template from tokenizer_config.json through Jinja, allowing arbitrary code execution. Maps to T1221 (Template Injection) and T1190 (Exploit Public-Facing Application).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.