Exploitation Details and Impact
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high severity flaw in the BerriAI LiteLLM open source AI gateway to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The vulnerability, a command injection flaw with a CVSS score of 8.7, allows any authenticated user to execute arbitrary commands on the host system. Specifically, two endpoints used for previewing MCP server configurations, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, accept a full server configuration including command, args, and env fields. When called with a stdio configuration, these endpoints spawn the supplied command as a subprocess on the proxy host with the privileges of the proxy process.
How the Attack Chain Works
Security researchers at Horizon3.ai demonstrated that attackers can chain this command injection flaw with a separate host header validation bypass vulnerability in the Starlette ASGI framework to achieve unauthenticated remote code execution. The Starlette issue, which affects versions up to 1.0.0, allows attackers to completely bypass LiteLLM’s authentication mechanisms. By combining these two weaknesses, an attacker can execute arbitrary commands on vulnerable LiteLLM deployments without needing any valid credentials. The LiteLLM maintainers have addressed the command injection in version 1.83.7 by requiring the PROXY_ADMIN role for the affected test endpoints, bringing them in line with existing save endpoint permissions. The affected versions include all LiteLLM Python package versions from 1.74.2 up to but not including 1.83.7.
Source: The Hacker News
