BerriAI Litellm Remote Code Execution Vulnerability

A remote code execution vulnerability exists in BerriAI Litellm version 1.40.12. The issue arises in the 'post_call_rules' configuration, where users can add callback functions. The provided function name is extracted by splitting the value at the last dot, with the final segment taken as the function name and the rest appended with a '.py' extension for import. This mechanism allows an attacker to specify system methods, such as 'os.system', as callbacks, which are then executed with arbitrary commands when processing chat responses.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, potentially leading to full system compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the '/config/update' endpoint with a 'litellm_settings' payload that includes a 'post_call_rules' value pointing to a system method, such as 'os.system'. Then, make a POST request to the chat completions endpoint, prompting the model to execute a command. The response will include the output of the executed command, demonstrating that the code execution was successful.