Miggo Logo
Miggo Vulnerability Database
CVE-2024-2952

CVE-2024-2952:
LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-2952
GHSA ID
GHSA-46cm-pfwv-cgf8
EPSS Score
0.76775%
CWE
CWE-76
Published
4/10/2024
Updated
4/11/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
litellmpip< 1.34.421.34.42

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the hf_chat_template function using Jinja's default Environment() to render user-controlled templates. The commit diff shows the fix replaced Environment() with ImmutableSandboxedEnvironment, which confirms the original implementation lacked proper sandboxing. This allowed attackers to inject template code that executes arbitrary Python commands through specially crafted tokenizer_config.json files. The function's direct handling of external template input without safe rendering mechanisms makes it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**rri*I/lit*llm is vuln*r**l* to S*rv*r-Si** T*mpl*t* Inj**tion (SSTI) vi* t** `/*ompl*tions` *n*point. T** vuln*r**ility *ris*s *rom t** `**_***t_t*mpl*t*` m*t*o* pro**ssin* t** `***t_t*mpl*t*` p*r*m*t*r *rom t** `tok*niz*r_*on*i*.json` *il* t*rou**

Reasoning

T** vuln*r**ility st*ms *rom t** **_***t_t*mpl*t* *un*tion usin* Jinj*'s ****ult *nvironm*nt() to r*n**r us*r-*ontroll** t*mpl*t*s. T** *ommit *i** s*ows t** *ix r*pl**** *nvironm*nt() wit* Immut**l*S*n**ox***nvironm*nt, w*i** *on*irms t** ori*in*l i