Advisory

Date 2026-01-23
Risk High
Vulnerability Type Remote Code Execution
Affected Product LiteLLM
Affected Versions <= 1.81.0
Vendor Status Open
CVE ID pending
Permalink NSIDE-SA-2026-002

This finding is a bypass of the blacklist implemented as the fix for remote code execution vulnerability CVE-2024-6825.

Introduction

LiteLLM is described as an AI Gateway to provide model access, fallbacks and spend tracking across 100+ LLMs. All in the OpenAI format. (Source)

Description

The fix for CVE-2024-6825 implemented additional security checks to prevent the configuration of insecure python functions such as „os.system“ as callbacks for LLM responses („post_call_rules“). The additional security check compares the module/function to be loaded against a blacklist:

Copy to Clipboard

While common dangerous modules are blocked, the in-built module „pty“ is not covered by the blacklist. This module offers a „spawn“ function, allowing the execution of arbitrary programs on the server:

Copy to Clipboard

NSIDE decided to publish this vulnerability, since the vendor did neither acknowledge this finding nor implement any remediation several months after being notified.

Risk

An authenticated attacker may execute arbitrary commands on the LiteLLM application server.

Solution/Mitigation

Since the vendor did not acknowledge these vulnerabilities, no official patch is available and no known workarounds exist.

To patch this vulnerability manually, the „os.path.join“ call should be fixed by sanitizing the „module_name“ input parameter. According to the official documentation: „if a segment is an absolute path this function, then all previous segments are ignored and joining continues from the absolute path segment.“. This effectively circumvents the first „directory“ parameter, that would restrict the loading of python modules/functions to a certain sub folder of the LiteLLM project.

A sub folder dedicated to LLM callbacks should be implemented which acts as the only source for configurable LLM callbacks.

Disclosure Timeline

2025-06-10: Tried to contact vendor via email according to reporting guidelines defined in the security.md of the project
2025-06-13: Tried to contact vendor again via email
2025-06-17: Tried to contact vendor again via email
2025-06-19: Vulnerability reported to vendor via huntr.com
2025-08-07: Tried to contact vendor again via email
2025-08-07: Received email from vendor asking for link to the huntr.com report
2025-08-08: Shared corresponding link to the vendor via email
2025-08-14: Asked vendor for follow-up via email
2025-09-01: Asked vendor for follow-up via email
2025-09-19: Audomatic disclosure by huntr.com due to inactivity of the vendor
2026-01-23: Advisory published by NSIDE

Contact/Credits

The vulnerability was discovered during an assessment by Jesse Strathmann of
NSIDE ATTACK LOGIC GmbH.

Disclaimer

The information in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at NSIDE ATTACK LOGIC GmbH’s website (https://www.nsideattacklogic.de/).