CVE-2024-8984: LiteLLM unauthenticated DoS

CISO Take

Any organization running LiteLLM as an LLM API gateway is exposed to a zero-authentication denial of service that can take down all AI service routing instantly. Upgrade to 1.56.2 immediately — the attack is trivial to script and requires no credentials or insider knowledge. If patching is blocked, place a WAF or reverse proxy in front that enforces multipart boundary length limits.

What is the risk?

High effective risk despite moderate CVSS (7.5). The combination of zero authentication, zero user interaction, and network-accessible attack surface means any exposed LiteLLM instance is one HTTP request away from outage. EPSS is low (0.00202) indicating no current mass exploitation, but the simplicity of the technique makes it a realistic threat for targeted disruption. Organizations using LiteLLM as a centralized LLM proxy face amplified impact: a single DoS event disrupts all downstream AI-powered applications simultaneously.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	< 1.56.2	`1.56.2`
51.0K OpenSSF 6.1 6 dependents Pushed 3d ago 44% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 52% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

PATCH

Upgrade litellm to >= 1.56.2 immediately (pip install --upgrade litellm).
WORKAROUND if patching is blocked: place a WAF or nginx/Caddy reverse proxy enforcing multipart boundary length limits (<= 70 chars per RFC 2046).
NETWORK CONTROL

Restrict LiteLLM endpoint access to known IP ranges or authenticated clients via API gateway.
RATE LIMITING

Implement request rate limiting per IP at the load balancer layer.
DETECTION

Alert on requests with multipart boundaries > 100 characters or with repeated dash sequences in Content-Type headers.
MONITORING

Watch for sudden CPU/memory spikes on LiteLLM processes as an indicator of active exploitation.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS API Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI System Operational Continuity

NIST AI RMF

MANAGE-4.1 - Residual risks and negative impacts are managed

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-8984?

Any organization running LiteLLM as an LLM API gateway is exposed to a zero-authentication denial of service that can take down all AI service routing instantly. Upgrade to 1.56.2 immediately — the attack is trivial to script and requires no credentials or insider knowledge. If patching is blocked, place a WAF or reverse proxy in front that enforces multipart boundary length limits.

Is CVE-2024-8984 actively exploited?

No confirmed active exploitation of CVE-2024-8984 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-8984?

1. PATCH: Upgrade litellm to >= 1.56.2 immediately (pip install --upgrade litellm). 2. WORKAROUND if patching is blocked: place a WAF or nginx/Caddy reverse proxy enforcing multipart boundary length limits (<= 70 chars per RFC 2046). 3. NETWORK CONTROL: Restrict LiteLLM endpoint access to known IP ranges or authenticated clients via API gateway. 4. RATE LIMITING: Implement request rate limiting per IP at the load balancer layer. 5. DETECTION: Alert on requests with multipart boundaries > 100 characters or with repeated dash sequences in Content-Type headers. 6. MONITORING: Watch for sudden CPU/memory spikes on LiteLLM processes as an indicator of active exploitation.

What systems are affected by CVE-2024-8984?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, model serving, agent frameworks, RAG pipelines, AI application backends.

What is the CVSS score for CVE-2024-8984?

CVE-2024-8984 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.79%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysmodel servingagent frameworksRAG pipelinesAI application backends

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE-4.1

OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

Exploitation Scenario

An adversary targeting an organization's AI infrastructure identifies a publicly accessible LiteLLM endpoint (common in internal developer platforms or SaaS AI products). They craft an HTTP POST request with a Content-Type header containing a multipart boundary padded with thousands of dash characters. The LiteLLM parser processes each character iteratively, spinning CPU cycles without throttling. A single attacker script sending this request in a loop saturates the server, making the LiteLLM proxy unresponsive. All downstream applications — AI copilots, RAG systems, agent workflows — fail simultaneously. No credentials, no prior access, no specialized ML knowledge required. Total time from discovery to outage: minutes.

Weaknesses (CWE)

CWE-400 Uncontrolled Resource Consumption Primary CWE-770 Allocation of Resources Without Limits or Throttling Primary

CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.

[Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
[Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

Source: MITRE CWE corpus.