CVE-2024-8984

HIGH

Litellm < 1.65.4 - Resource Allocation Without Limits

Title source: rule

Description

A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/554fc76b-3097-4223-b4cf-110b853e9355

Patch

https://github.com/berriai/litellm/commit/4f49f836aa844ac9b6bfbeff27e6f6b2b9cf3f61

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0064

EPSS Percentile 70.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

litellm/litellm 1.65.4 dev2 (4 CPE variants)

litellm/litellm < 1.65.4

pypi/litellm 0 - 1.56.2PyPI

Published Mar 20, 2025

Tracked Since Feb 18, 2026