CVE-2024-2952 - Vulnerability Details - OpenCVE

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Litellm	Litellm

Configuration 1 [-]

cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4

History

Tue, 15 Jul 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Litellm Litellm litellm
CPEs		cpe:2.3:a:litellm:litellm::::::::
Vendors & Products		Litellm Litellm litellm

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-10T17:07:52.935Z

Updated: 2024-08-01T19:32:42.587Z

Reserved: 2024-03-26T18:00:46.844Z

Link: CVE-2024-2952

Vulnrichment

Updated: 2024-08-01T19:32:42.587Z

NVD

Status : Analyzed

Published: 2024-04-10T17:15:54.823

Modified: 2025-07-15T14:21:14.340

Link: CVE-2024-2952

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2952", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-26T18:00:46.844Z", "datePublished": "2024-04-10T17:07:52.935Z", "dateUpdated": "2024-08-01T19:32:42.587Z"}, "containers": {"cna": {"title": "Server-Side Template Injection in BerriAI/litellm", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:21.535Z"}, "descriptions": [{"lang": "en", "value": "BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server."}], "affected": [{"vendor": "berriai", "product": "berriai/litellm", "versions": [{"version": "unspecified", "lessThan": "1.34.42", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4"}, {"url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-76 Improper Neutralization of Equivalent Special Elements", "cweId": "CWE-76"}]}], "source": {"advisory": "a9e0a164-6de0-43a4-a640-0cbfb54220a4", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "berriai", "product": "litellm", "cpes": ["cpe:2.3:a:berriai:litellm:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.23.2", "status": "affected", "lessThan": "1.34.42", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T15:32:17.112100Z", "id": "CVE-2024-2952", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:51:12.428Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.587Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4", "tags": ["x_transferred"]}, {"url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4", "tags": ["x_transferred"]}, {"url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.587Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2952", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-03T15:32:17.112100Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:berriai:litellm:*:*:*:*:*:*:*:*"], "vendor": "berriai", "product": "litellm", "versions": [{"status": "affected", "version": "1.23.2", "lessThan": "1.34.42", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:49:17.615Z"}}], "cna": {"title": "Server-Side Template Injection in BerriAI/litellm", "source": {"advisory": "a9e0a164-6de0-43a4-a640-0cbfb54220a4", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "berriai", "product": "berriai/litellm", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.34.42", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4"}, {"url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3"}], "descriptions": [{"lang": "en", "value": "BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-76", "description": "CWE-76 Improper Neutralization of Equivalent Special Elements"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:21.535Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2952", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:32:42.587Z", "dateReserved": "2024-03-26T18:00:46.844Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-04-10T17:07:52.935Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*", "matchCriteriaId": "4720F198-5C9D-477B-B77A-A05859CA50BC", "versionEndExcluding": "1.34.42", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server."}, {"lang": "es", "value": "BerriAI/litellm es vulnerable a Server-Side Template Injection (SSTI) a trav\u00e9s del endpoint `/completions`. La vulnerabilidad surge del m\u00e9todo `hf_chat_template` que procesa el par\u00e1metro `chat_template` del archivo `tokenizer_config.json` a trav\u00e9s del motor de plantillas Jinja sin una sanitizaci\u00f3n adecuada. Los atacantes pueden aprovechar esto creando archivos maliciosos `tokenizer_config.json` que ejecutan c\u00f3digo arbitrario en el servidor."}], "id": "CVE-2024-2952", "lastModified": "2025-07-15T14:21:14.340", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-04-10T17:15:54.823", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-76"}], "source": "[email protected]", "type": "Secondary"}]}