BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-6976 BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed.
Github GHSA Github GHSA GHSA-53gh-p8jc-7rg8 LiteLLM Vulnerable to Remote Code Execution (RCE)
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 15 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77

Wed, 15 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00509}

epss

{'score': 0.00635}


Tue, 15 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*
cpe:2.3:a:litellm:litellm:1.65.4:dev2:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm

Thu, 20 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 20 Mar 2025 10:15:00 +0000

Type Values Removed Values Added
Description BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed.
Title Remote Code Execution in BerriAI/litellm
Weaknesses CWE-77
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2025-10-15T12:49:46.893Z

Reserved: 2024-07-16T23:27:36.399Z

Link: CVE-2024-6825

cve-icon Vulnrichment

Updated: 2025-03-20T13:42:55.312Z

cve-icon NVD

Status : Modified

Published: 2025-03-20T10:15:33.237

Modified: 2025-10-15T13:15:49.953

Link: CVE-2024-6825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-13T11:23:00Z