GHSA-wxxx-gvqv-xp7p
LiteLLM has a sandbox escape in custom-code guardrail
Details
### Impact
The `POST /guardrails/test_custom_code` endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.
**Reaching the endpoint requires a proxy-admin credential** in default configurations.
### Patches
Fixed in **`1.83.11`**. The hand-rolled sandbox has been replaced with `RestrictedPython`. Upgrade to `1.83.11` or later.
### Workarounds
If upgrading is not immediately possible, block `POST /guardrails/test_custom_code` at your reverse proxy or API gateway.
### References
- Patched release: [`v1.83.10-stable`](https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable)
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/BerriAI/litellm/security/advisories/GHSA-wxxx-gvqv-xp7p [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-40217 [ADVISORY]
- https://github.com/BerriAI/litellm [PACKAGE]
- https://github.com/BerriAI/litellm/releases/tag/v1.83.10-stable [WEB]
- https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm [WEB]