LiteLLM Server-Side Template Injection Vulnerability in Prompts Test Endpoint

A server-side template injection vulnerability has been identified in LiteLLM, a proxy server for calling LLM APIs, versions 1.80.5 prior to 1.83.7. The vulnerability exists in the POST /prompts/test endpoint, which accepted user-supplied prompt templates and rendered them without proper sandboxing. This lack of isolation allowed crafted templates to execute arbitrary code within the LiteLLM Proxy process. The endpoint only requires a valid proxy API key for access, enabling any authenticated user to exploit the vulnerability. Depending on the proxy's deployment, this could lead to the exposure of sensitive information from the process environment, such as provider API keys or database credentials, and allow commands to be executed on the host.

Impact

Exploitation of this vulnerability could result in arbitrary code execution within the LiteLLM Proxy process, potentially allowing access to sensitive environment secrets and execution of commands on the host.

Remediation

The vulnerability has been patched in LiteLLM version 1.83.7. Users are advised to upgrade to this version or later. If an immediate upgrade is not possible, the POST /prompts/test endpoint can be blocked at the reverse proxy or API gateway, and a review and rotation of API keys that should not have access to prompt management routes is recommended.