<p>Upgrade <code>litellm</code> to version 1.34.42 or higher.</p>

Improper Neutralization of Special Elements used in a Template Engine ('Template Injection') Affecting litellm package, versions [,1.34.42)

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-LITELLM-6595956
published 11 Apr 2024
disclosed 10 Apr 2024
credit mvlttt

Report a new vulnerability Found a mistake?

Introduced: 10 Apr 2024

New CVE-2024-2952 Open this link in a new tab CWE-76 Open this link in a new tab

How to fix?

Upgrade litellm to version 1.34.42 or higher.

Overview

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in a Template Engine ('Template Injection') due to the hf_chat_template method processing the chat_template parameter from the tokenizer_config.json file through the Jinja template engine without proper sanitization. An attacker can execute arbitrary code on the server by crafting malicious tokenizer_config.json files.