CVE-2024-5751
Published: 27 June 2024
Summary
CVE-2024-5751 is a critical-severity Code Injection (CWE-94) vulnerability in Litellm Litellm. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: Extract LLM System Prompt (AML.T0056).
Deeper analysis
BerriAI/litellm version v1.35.8 contains a remote code execution vulnerability in the add_deployment function. This component decodes and decrypts base64-encoded environment variables before assigning them to os.environ, enabling code injection when the get_secret function later processes the values. The flaw is reachable through the /config/update endpoint and requires the server to be configured with Google KMS plus a database backend for storing models. It is tracked as CVE-2024-5751 with a CVSS 3.1 score of 9.8 and maps to CWE-94.
An unauthenticated remote attacker can submit a malicious payload to the configuration update endpoint. Once stored, the payload executes with the privileges of the litellm process when get_secret is invoked, resulting in arbitrary code execution on the host.
The EPSS probability for this CVE remains flat at 0.0536 with no material rise after disclosure. Details are documented in the referenced huntr.com bounty reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2057
Vulnerability details
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by…
more
sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- BerriAI/litellm (LiteLLM) is a proxy server and library providing a unified API interface for calling various LLM providers and models, directly fitting the APIs and Models category. The vulnerability occurs in deployment configuration handling for models using Google KMS.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in BerriAI/litellm allows remote code execution by sending a malicious payload to the public-facing /config/update endpoint, which processes base64-decoded environment variables into os.environ, enabling exploitation of a public-facing application.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.