CVE-2024-8984 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any organization running LiteLLM as an LLM API gateway is exposed to a zero-authentication denial of service that can take down all AI service routing instantly. Upgrade to 1.56.2 immediately — the attack is trivial to script and requires no credentials or insider knowledge. If patching is blocked, place a WAF or reverse proxy in front that enforces multipart boundary length limits.

Risk Assessment

High effective risk despite moderate CVSS (7.5). The combination of zero authentication, zero user interaction, and network-accessible attack surface means any exposed LiteLLM instance is one HTTP request away from outage. EPSS is low (0.00202) indicating no current mass exploitation, but the simplicity of the technique makes it a realistic threat for targeted disruption. Organizations using LiteLLM as a centralized LLM proxy face amplified impact: a single DoS event disrupts all downstream AI-powered applications simultaneously.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
litellm	pip	< 1.56.2	`1.56.2`
45.5K OpenSSF 6.2 4 dependents Pushed 6d ago 50% patched ~43d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 71% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade litellm to >= 1.56.2 immediately (pip install --upgrade litellm).
WORKAROUND if patching is blocked: place a WAF or nginx/Caddy reverse proxy enforcing multipart boundary length limits (<= 70 chars per RFC 2046).
NETWORK CONTROL

Restrict LiteLLM endpoint access to known IP ranges or authenticated clients via API gateway.
RATE LIMITING

Implement request rate limiting per IP at the load balancer layer.
DETECTION

Alert on requests with multipart boundaries > 100 characters or with repeated dash sequences in Content-Type headers.
MONITORING

Watch for sudden CPU/memory spikes on LiteLLM processes as an indicator of active exploitation.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS API Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI System Operational Continuity

NIST AI RMF

MANAGE-4.1 - Residual risks and negative impacts are managed

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-8984?

Any organization running LiteLLM as an LLM API gateway is exposed to a zero-authentication denial of service that can take down all AI service routing instantly. Upgrade to 1.56.2 immediately — the attack is trivial to script and requires no credentials or insider knowledge. If patching is blocked, place a WAF or reverse proxy in front that enforces multipart boundary length limits.

Is CVE-2024-8984 actively exploited?

No confirmed active exploitation of CVE-2024-8984 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-8984?

1. PATCH: Upgrade litellm to >= 1.56.2 immediately (pip install --upgrade litellm). 2. WORKAROUND if patching is blocked: place a WAF or nginx/Caddy reverse proxy enforcing multipart boundary length limits (<= 70 chars per RFC 2046). 3. NETWORK CONTROL: Restrict LiteLLM endpoint access to known IP ranges or authenticated clients via API gateway. 4. RATE LIMITING: Implement request rate limiting per IP at the load balancer layer. 5. DETECTION: Alert on requests with multipart boundaries > 100 characters or with repeated dash sequences in Content-Type headers. 6. MONITORING: Watch for sudden CPU/memory spikes on LiteLLM processes as an indicator of active exploitation.

What systems are affected by CVE-2024-8984?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, model serving, agent frameworks, RAG pipelines, AI application backends.

What is the CVSS score for CVE-2024-8984?

CVE-2024-8984 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.64%.

Technical Details

NVD Description

A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

Exploitation Scenario

An adversary targeting an organization's AI infrastructure identifies a publicly accessible LiteLLM endpoint (common in internal developer platforms or SaaS AI products). They craft an HTTP POST request with a Content-Type header containing a multipart boundary padded with thousands of dash characters. The LiteLLM parser processes each character iteratively, spinning CPU cycles without throttling. A single attacker script sending this request in a loop saturates the server, making the LiteLLM proxy unresponsive. All downstream applications — AI copilots, RAG systems, agent workflows — fail simultaneously. No credentials, no prior access, no specialized ML knowledge required. Total time from discovery to outage: minutes.