BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the /completions
endpoint. The vulnerability arises from the hf_chat_template
method processing the chat_template
parameter from the tokenizer_config.json
file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious tokenizer_config.json
files that execute arbitrary code on the server.
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Litellm | Litellm | * | 1.34.42 (excluding) |