BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the /completions
endpoint. The vulnerability arises from the hf_chat_template
method processing the chat_template
parameter from the tokenizer_config.json
file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious tokenizer_config.json
files that execute arbitrary code on the server.
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.