LiteLLM, an open-source proxy server for language model APIs, had two vulnerabilities allowing remote code execution via a standard API key. These exploits stemmed from environment variable disclosure and a Jinja2 server-side template injection. Both vulnerabilities were addressed in the v1.84.0-rc.1 patch, implementing multiple security measures.
Tag: vr
No Tokens Required: A Movie Power Virtual Reality Breakout Exploit
During summer 2024, I went on holiday and encountered multiple virtual reality (VR) arcades containing a vulnerability which allowed me to breakout and pop a Windows command prompt on the arcade machine.