LiteLLM Command Execution Vulnerability via MCP Test Endpoints

A vulnerability in LiteLLM versions 1.74.2 prior to 1.83.7 allows authenticated users to execute arbitrary commands on the host machine. This issue arises from two MCP test endpoints, 'POST /mcp-rest/test/connection' and 'POST /mcp-rest/test/tools/list', which accepted full server configurations including command execution details. When these endpoints were used with a standard input/output configuration, they executed the specified commands as subprocesses on the proxy host, using the privileges of the proxy process. The vulnerability was accessible to any user with a valid proxy API key, including those with low-privilege internal-user keys.

Impact

Exploitation of this vulnerability allows for authenticated users to execute arbitrary commands on the host machine where LiteLLM is running.

Remediation

Users can upgrade to LiteLLM version 1.83.7 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, the vulnerable endpoints can be blocked at the reverse proxy or API gateway.