Impact
LiteLLM is an AI gateway that forwards requests to LLM APIs. Between versions 1.74.2 and prior to 1.83.7 two preview endpoints – POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list – allowed a client to send a complete server configuration, including the command, arguments, and environment variables used by the stdio transport. When these endpoints were called, the gateway attempted to connect, which started the supplied command as a subprocess on the host machine with the privileges of the LiteLLM process. Because no role check was performed, any authenticated API key holder, even one with a low‑privilege internal‑user key, could trigger this path and execute arbitrary code on the host. This flaw is a classic command‑injection weakness identified by CWE‑77 and CWE‑78 and enables an attacker to compromise confidentiality, integrity, and availability.
Affected Systems
The issue affects LiteLLM installations sourced from BerriAI between version 1.74.2 and the pre‑1.83.7 stable release. Any deployment that exposes the two preview endpoints to clients with a valid API key is vulnerable. The vulnerability was patched in version 1.83.7 and later releases.
Risk and Exploitability
The flaw is only reachable to users who possess a valid proxy API key, and no additional role or privilege check is performed. The EPSS score of 80% indicates a high likelihood that the vulnerability is being sought or exploited by threat actors. The CVSS score of 8.7 classifies it as high severity. It is listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker can choose any command and run it with the proxy process’s privileges, which could lead to lateral movement, credential theft, or full host takeover. The likely attack vector is authenticated API key usage on the preview endpoints.
OpenCVE Enrichment
Github GHSA