AI Threat Alert AI Threat Alert

CVE-2024-4888: litellm: arbitrary file deletion via audio endpoint

HIGH PoC AVAILABLE CISA: TRACK*
Published June 6, 2024
CISO Take

If your team runs litellm as an LLM gateway or proxy, treat this as critical: any authenticated user can delete arbitrary server files—SSH keys, config files, SQLite databases—with a single crafted API call. Patch to the latest litellm release immediately, or block the /audio/transcriptions endpoint at the reverse proxy layer. No special skill is required; the attack is a one-liner.

Risk Assessment

High risk (CVSS 8.1). litellm is a widely-deployed LLM proxy used to route traffic to OpenAI, Anthropic, and other providers. The vulnerability requires only low-privilege API credentials—typically any valid API key—with no user interaction and low attack complexity. Network-accessible by design, it offers attackers a trivially simple path to destructive impact (Integrity: High, Availability: High). Multi-tenant or shared litellm instances face compounded risk: one compromised API key can destroy shared infrastructure for all users.

Affected Systems

Package Ecosystem Vulnerable Range Patched
litellm pip No patch
46.4K OpenSSF 6.5 4 dependents Pushed today 50% patched ~43d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I High
A High

Recommended Action

5 steps

  1. Patch: Upgrade litellm to the latest release; validate the fix via the huntr advisory and changelog before deploying.

  2. Network control: Restrict /audio/transcriptions to trusted internal IP ranges via reverse proxy (nginx/Caddy) as an immediate compensating control.

  3. Least privilege: Run litellm as a non-root user with minimal filesystem permissions scoped to its working directory only.

  4. Detection: Alert on unexpected file deletions in sensitive directories (/root/.ssh, /etc, app data dirs); monitor API logs for multipart/form-data requests to /audio/transcriptions with suspicious filename fields containing path separators.

  5. Recovery readiness: Verify SSH keys and critical configs are backed up and recoverable before relying on patching alone.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass DoS Framework API AML.T0037 AML.T0040 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - Information security in AI system design
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain effectiveness of risk treatments
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-4888?

If your team runs litellm as an LLM gateway or proxy, treat this as critical: any authenticated user can delete arbitrary server files—SSH keys, config files, SQLite databases—with a single crafted API call. Patch to the latest litellm release immediately, or block the /audio/transcriptions endpoint at the reverse proxy layer. No special skill is required; the attack is a one-liner.

Is CVE-2024-4888 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-4888, increasing the risk of exploitation.

How to fix CVE-2024-4888?

1. Patch: Upgrade litellm to the latest release; validate the fix via the huntr advisory and changelog before deploying. 2. Network control: Restrict /audio/transcriptions to trusted internal IP ranges via reverse proxy (nginx/Caddy) as an immediate compensating control. 3. Least privilege: Run litellm as a non-root user with minimal filesystem permissions scoped to its working directory only. 4. Detection: Alert on unexpected file deletions in sensitive directories (/root/.ssh, /etc, app data dirs); monitor API logs for multipart/form-data requests to /audio/transcriptions with suspicious filename fields containing path separators. 5. Recovery readiness: Verify SSH keys and critical configs are backed up and recoverable before relying on patching alone.

What systems are affected by CVE-2024-4888?

This vulnerability affects the following AI/ML architecture patterns: LLM gateways and proxies, model serving, API gateways, agent frameworks.

What is the CVSS score for CVE-2024-4888?

CVE-2024-4888 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where `os.remove(file.filename)` is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files.

Exploitation Scenario

An attacker with a low-privilege litellm API key—obtained via credential stuffing, a leaked key in a public GitHub repository, or insider access—sends a POST request to /audio/transcriptions with a crafted multipart/form-data payload. Instead of a valid audio file, the filename field contains a path such as '../../.ssh/authorized_keys' or '/var/lib/litellm/litellm.db'. The server calls os.remove(file.filename) without any path validation or authorization check, silently deleting the targeted file. The attacker iterates through predictable high-value paths—SSH keys, the litellm database, environment files containing upstream API keys—causing service disruption, admin lockout, and destruction of audit trails, all while appearing as a legitimate API caller.

Weaknesses (CWE)

CWE-862 CWE-862

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
June 6, 2024
Last Modified
November 21, 2024
First Seen
June 6, 2024

Related Vulnerabilities

CRITICAL CVE-2026-42208 9.8

LiteLLM: SQL injection exposes LLM API credentials

Same package: litellm
CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
HIGH CVE-2026-42271 8.8

LiteLLM: RCE via MCP test endpoint command injection

Same package: litellm
Back to Threat Feed