Cyber Resilience

CVE-2024-5751

CriticalRCE

Published: 27 June 2024

Published
27 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0536 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5751 is a critical-severity Code Injection (CWE-94) vulnerability in Litellm Litellm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: Extract LLM System Prompt (AML.T0056).

Deeper analysis

BerriAI/litellm version v1.35.8 contains a remote code execution vulnerability in the add_deployment function. This component decodes and decrypts base64-encoded environment variables before assigning them to os.environ, enabling code injection when the get_secret function later processes the values. The flaw is reachable through the /config/update endpoint and requires the server to be configured with Google KMS plus a database backend for storing models. It is tracked as CVE-2024-5751 with a CVSS 3.1 score of 9.8 and maps to CWE-94.

An unauthenticated remote attacker can submit a malicious payload to the configuration update endpoint. Once stored, the payload executes with the privileges of the litellm process when get_secret is invoked, resulting in arbitrary code execution on the host.

The EPSS probability for this CVE remains flat at 0.0536 with no material rise after disclosure. Details are documented in the referenced huntr.com bounty reports.

EU & UK References

Vulnerability details

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by…

more

sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.

CWE(s)

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
BerriAI/litellm (LiteLLM) is a proxy server and library providing a unified API interface for calling various LLM providers and models, directly fitting the APIs and Models category. The vulnerability occurs in deployment configuration handling for models using Google KMS.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability in BerriAI/litellm allows remote code execution by sending a malicious payload to the public-facing /config/update endpoint, which processes base64-decoded environment variables into os.environ, enabling exploitation of a public-facing application.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0056: Extract LLM System Prompt

Affected Assets

litellm
litellm
1.35.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References