AI Threat Alert

CVE-2024-6825: LiteLLM: RCE via post_call_rules callback injection

GHSA-53gh-p8jc-7rg8 HIGH PoC AVAILABLE CISA: ATTEND
Published March 20, 2025
CISO Take

LiteLLM is widely deployed as an LLM proxy and multi-model gateway; any user with API write access to its configuration can inject a malicious callback (e.g., os.system) into post_call_rules and achieve full OS command execution on the host whenever a chat response is processed. Patch immediately to a version beyond 1.40.12 or remove write access to the post_call_rules configuration endpoint. If patching is not immediately possible, restrict configuration API access to trusted administrators only.

What is the risk?

High risk. CVSS 8.8 with network-accessible attack vector and only low privileges required creates a wide exploitation window. LiteLLM is commonly deployed as an internal gateway serving multiple teams or as a public-facing proxy — both scenarios expose the configuration endpoint to a broad attacker population. EPSS at 1.35% reflects moderate near-term exploitation likelihood, but the trivial exploitation path (set a config value, trigger any chat call) will accelerate that figure. The absence of a patch version listed and the fact this was publicly disclosed via Huntr amplifies urgency. Any multi-tenant LiteLLM deployment (shared internal AI gateway) should be treated as critically exposed.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LiteLLM pip >= 1.40.3.dev2, <= 1.40.12 No patch
51.0K OpenSSF 6.1 6 dependents Pushed 3d ago 44% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
1.5%
chance of exploitation in 30 days
Higher than 70% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade LiteLLM beyond 1.40.12 immediately (monitor the advisory at GHSA-53gh-p8jc-7rg8 for a fixed version tag).

  2. RESTRICT

    If patching is blocked, lock down the LiteLLM configuration API — restrict POST/PUT to the config endpoint to admin-only service accounts via network policy or API gateway ACLs.

  3. AUDIT

    Review current post_call_rules values in all LiteLLM config files and running instances; any non-empty value referencing system modules (os, subprocess, sys) is a compromise indicator.

  4. DETECT

    Alert on LiteLLM process spawning unexpected child processes (os.system, subprocess.Popen); monitor for anomalous outbound connections from the LiteLLM host post-chat-completion.

  5. ISOLATE

    Run LiteLLM in a container with a read-only filesystem, dropped capabilities, and no internet egress where possible to limit blast radius.

  6. ROTATE

    After any suspected exploitation, rotate all secrets accessible from the LiteLLM runtime environment (OpenAI/Anthropic API keys, DB credentials, cloud IAM tokens).

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Auth Bypass Framework API Inference AML.T0010.001 AML.T0049 AML.T0050 AML.T0072 AML.T0081

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - AI system security A.9.3 - AI system integrity
NIST AI RMF
GOVERN 6.2 - AI risk management policies for third-party dependencies MANAGE 2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling LLM09:2025 - Misinformation

Frequently Asked Questions

What is CVE-2024-6825?

LiteLLM is widely deployed as an LLM proxy and multi-model gateway; any user with API write access to its configuration can inject a malicious callback (e.g., os.system) into post_call_rules and achieve full OS command execution on the host whenever a chat response is processed. Patch immediately to a version beyond 1.40.12 or remove write access to the post_call_rules configuration endpoint. If patching is not immediately possible, restrict configuration API access to trusted administrators only.

Is CVE-2024-6825 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-6825, increasing the risk of exploitation.

How to fix CVE-2024-6825?

1. PATCH: Upgrade LiteLLM beyond 1.40.12 immediately (monitor the advisory at GHSA-53gh-p8jc-7rg8 for a fixed version tag). 2. RESTRICT: If patching is blocked, lock down the LiteLLM configuration API — restrict POST/PUT to the config endpoint to admin-only service accounts via network policy or API gateway ACLs. 3. AUDIT: Review current post_call_rules values in all LiteLLM config files and running instances; any non-empty value referencing system modules (os, subprocess, sys) is a compromise indicator. 4. DETECT: Alert on LiteLLM process spawning unexpected child processes (os.system, subprocess.Popen); monitor for anomalous outbound connections from the LiteLLM host post-chat-completion. 5. ISOLATE: Run LiteLLM in a container with a read-only filesystem, dropped capabilities, and no internet egress where possible to limit blast radius. 6. ROTATE: After any suspected exploitation, rotate all secrets accessible from the LiteLLM runtime environment (OpenAI/Anthropic API keys, DB credentials, cloud IAM tokens).

What systems are affected by CVE-2024-6825?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, Multi-model routing pipelines, AI agent frameworks, Model serving infrastructure, Internal AI platforms.

What is the CVSS score for CVE-2024-6825?

CVE-2024-6825 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.46%.

What is the AI security impact?

Affected AI Architectures

LLM proxy and gateway deploymentsMulti-model routing pipelinesAI agent frameworksModel serving infrastructureInternal AI platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.6, A.9.3
NIST AI RMF: GOVERN 6.2, MANAGE 2.2
OWASP LLM Top 10: LLM05:2025, LLM09:2025

What are the technical details?

Original Advisory

BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part considered the function name and the remaining part appended with the '.py' extension and imported. This allows an attacker to set a system method, such as 'os.system', as a callback, enabling the execution of arbitrary commands when a chat response is processed.

Exploitation Scenario

An attacker with low-privilege access to an organization's internal AI gateway (LiteLLM 1.40.12) — e.g., a developer account or a compromised CI/CD pipeline credential — sends a PATCH request to the LiteLLM configuration endpoint setting post_call_rules to ['os.system']. LiteLLM splits this at the final dot: function name becomes 'system', module path becomes 'os.py' which resolves to Python's built-in os module. The attacker then sends a standard chat completion request. When the response is processed, LiteLLM invokes os.system() with a crafted argument — a reverse shell payload or credential exfiltration command. From the LiteLLM host, the attacker now has shell access, exfiltrates all API keys stored in the environment (including keys to GPT-4, Claude, Gemini endpoints), and pivots to connected infrastructure such as vector databases or model registries. In a multi-tenant SaaS AI platform, one compromised developer account is sufficient to own the entire LLM gateway and all its downstream integrations.

Weaknesses (CWE)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
October 15, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-42208 9.8

LiteLLM: SQL injection exposes LLM API credentials

Same package: litellm
CRITICAL CVE-2026-54352 9.6

Budibase: zip symlink bypass exposes all server secrets

Same package: litellm
CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2026-42203 8.8

LiteLLM: SSTI in prompt template endpoint enables RCE

Same package: litellm
Back to Threat Feed