CVE-2024-4888— LiteLLM 输入验证错误漏洞

Arbitrary File Deletion in BerriAI/litellm

BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where `os.remove(file.filename)` is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files.

N/A

授权机制缺失

LiteLLM 输入验证错误漏洞

LiteLLM是Berri AI开源的一个应用程序。可以使用 OpenAI 格式调用所有 LLM API。 LiteLLM 存在输入验证错误漏洞，该漏洞源于 /audio/transcriptions API 存在输入验证不当问题，导致容易受到任意文件删除的影响。

N/A

N/A