FKIE_CVE-2024-8984

Vulnerability from fkie_nvd - Published: 2025-03-20 10:15 - Updated: 2025-10-15 13:15
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.
References
security@huntr.devhttps://github.com/berriai/litellm/commit/4f49f836aa844ac9b6bfbeff27e6f6b2b9cf3f61
security@huntr.devhttps://huntr.com/bounties/554fc76b-3097-4223-b4cf-110b853e9355Exploit, Third Party Advisory
Impacted products
Vendor Product Version
litellm litellm *
litellm litellm 1.65.4
litellm litellm 1.65.4
litellm litellm 1.65.4
litellm litellm 1.65.4
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA751173-C195-4141-990E-BF283359EB51",
              "versionEndExcluding": "1.65.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:litellm:litellm:1.65.4:dev2:*:*:*:*:*:*",
              "matchCriteriaId": "9FF1A650-6A97-453B-AC95-C05B9864B71C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:litellm:litellm:1.65.4:dev6:*:*:*:*:*:*",
              "matchCriteriaId": "5806D436-A882-4E96-B1F6-281BDD797F0F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:litellm:litellm:1.65.4:dev8:*:*:*:*:*:*",
              "matchCriteriaId": "00216FEB-389B-4841-AA18-FB29D2CA487A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:litellm:litellm:1.65.4:nightly:*:*:*:*:*:*",
              "matchCriteriaId": "809B9B6C-FCDA-4BDB-BB3D-AB94E933F042",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en berriai/litellm versi\u00f3n v1.44.5. Esta vulnerabilidad puede explotarse a\u00f1adiendo caracteres, como guiones (-), al final de un l\u00edmite multiparte en una solicitud HTTP. El servidor procesa continuamente cada car\u00e1cter, lo que provoca un consumo excesivo de recursos y deja el servicio indisponible. El problema no est\u00e1 autenticado y no requiere la interacci\u00f3n del usuario, lo que afecta a todos los usuarios del servicio."
    }
  ],
  "id": "CVE-2024-8984",
  "lastModified": "2025-10-15T13:15:56.553",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-20T10:15:45.583",
  "references": [
    {
      "source": "security@huntr.dev",
      "url": "https://github.com/berriai/litellm/commit/4f49f836aa844ac9b6bfbeff27e6f6b2b9cf3f61"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/554fc76b-3097-4223-b4cf-110b853e9355"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.