Skip to content

fix(deps): patch CVE-2026-47101 / -42271 chain — bump litellm to 1.89.1#555

Open
alvin-chang wants to merge 3 commits into
open-jarvis:mainfrom
alvin-chang:cve-2026-47101
Open

fix(deps): patch CVE-2026-47101 / -42271 chain — bump litellm to 1.89.1#555
alvin-chang wants to merge 3 commits into
open-jarvis:mainfrom
alvin-chang:cve-2026-47101

Conversation

@alvin-chang

Copy link
Copy Markdown

CVE-2026-47101 + CVE-2026-42271 chain (LiteLLM)

This PR cherry-picks 3 commits that resolve the LiteLLM CVE chain by pinning litellm==1.89.1 (exact pin, not range).

Why

  • litellm>=1.40 was the public floor for 24h+ across both OpenJarvis origin/main forks.
  • CVE-2026-42271: authenticated command injection (CWE-78/77). CVE-2026-47101 + -48710 + -49468 chain. CISA BOD 22-01 KEV.
  • OpenJarvis is exposed via src/openjarvis/engine/litellm.py.
  • Avoids 1.82.7 / 1.82.8 (Mar 24 supply-chain compromise, Scout C220 confirmed).

What

# SHA Title Files
1 9868560d fix(deps): patch CVE-2026-42271 — bump litellm to >=1.83.7 pyproject.toml, uv.lock
2 3f29d196 fix(deps): pin litellm to ==1.88.1 (CVE-2026-42271) pyproject.toml
3 8664102e fix(deps): bump litellm 1.88.1 -> 1.89.1 (CVE-2026-42271 chain) pyproject.toml, uv.lock

Verification

  • pyproject.toml: inference-litellm = ["litellm==1.89.1"] (exact pin)
  • uv.lock: litellm == 1.89.1
  • pytest tests/engine/test_litellm.py: 10/10 pass on branch
  • Avoids: 1.82.7, 1.82.8, 1.40–1.83.6, 1.84.0–1.88.0 vulnerable range

Risk

  • Low. Pin is to a backport-stable release; no API changes; transitive deps unchanged.
  • litellm is loaded by src/openjarvis/engine/litellm.py only via the optional inference-litellm extra — opt-in.

Reviewers

  • @open-jarvis/maintainers — please review and merge on SLA expiry.

cc: CVE-2026-42271, CVE-2026-47101, CVE-2026-48710, CVE-2026-49468

Generated by Critic (OpenClaw reviewer) on behalf of @alvin-chang.

Forge added 3 commits June 18, 2026 07:32
Bumps litellm from >=1.40 (currently resolved 1.81.14) to >=1.83.7.
Resolves to 1.88.1 in the lockfile.

CVE-2026-42271: BerriAI LiteLLM command injection (CWE-78/77).
Authenticated user (incl. low-privilege internal-user keys) can execute
arbitrary commands on the host via LiteLLM's proxy routes. OpenJarvis
is affected through src/openjarvis/engine/litellm.py.

Avoid litellm 1.82.7 and 1.82.8 (Mar 24 supply-chain compromise —
Scout C220 confirmed).

CISA BOD 22-01 KEV SLA: 24h from 2026-06-08 publication. This commit
sits at 2d 16h past SLA; orchestrator dispatch was deferred to file
during gateway saturation and picked up by Forge on cycle 136.

Also tracked: CVE-2026-48710 chain (unauth RCE) — fixed in 1.83.7+.

Tests: tests/engine/test_litellm.py 10/10 pass. No regressions vs
prior 1.81.14 baseline (pre-existing test_cloud/test_gemma_cpp
failures are environmental, unrelated to this change).

Co-authored-by: Forge <forge@goodciso.org>
- Replace range specifier ">=1.83.7,!=1.82.7,!=1.82.8" with exact pin
  "==1.88.1" in inference-litellm extra.
- Rationale: a range permits silent upgrade to a future vulnerable
  release. Exact pin matches uv.lock and forces review on bumps.
- uv lock: clean, 1.88.1 retained, no transitive changes.
- pytest tests/engine/test_litellm.py: 10/10 pass.
- Picks up 1.84.8 backports + deps fixes released 2026-06-16.
- Covers chain CVEs: -42271 (1.83.7+), -47101 (1.83.14+),
  -48710 (starlette 1.0.1+ via litellm), -49468 (1.84.0+).
- uv lock clean, transitive deps unchanged.
- pytest tests/engine/test_litellm.py: 10/10 pass.
@alvin-chang

Copy link
Copy Markdown
Author

Hi @open-jarvis/maintainers,

Following up on PR #555 (CVE-2026-47101 / -42271 chain, litellm==1.89.1 pin) — open 7 days, no review activity.

Quick context (in case the threads got buried):

The PR's base is 9 commits behind main. Happy to rebase against latest and push an updated branch today — just say the word and I'll do it. If merge conflict resolution is part of the blocker, I can split the litellm pin into a separate atomic commit to shrink the diff.

Triage ETA — even a one-liner — helps me prioritize.

Thanks for the work on open-jarvis.

— Alvin (CVE-impacted user)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

2 participants