What happened

Two LiteLLM MCP “preview” endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full MCP server config in the body, including stdio transport fields command, args, and env; when invoked with stdio settings, the proxy attempted a connection that spawned the supplied command as a subprocess on the proxy host with the proxy’s privileges (GitHub Advisory GHSA-v4p8-mg3p-g94g).

These test endpoints were protected only by a valid proxy API key, with no role check; any authenticated user — including holders of low‑privilege internal‑user keys — could execute arbitrary commands on the host (GHSA-v4p8-mg3p-g94g advisory).

The issue is fixed in LiteLLM version 1.83.7; both test endpoints now require the PROXY_ADMIN role, aligning them with the save endpoint’s authorization behavior (patch note in GHSA).

If you cannot upgrade immediately, block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at your reverse proxy or API gateway as a workaround (workarounds per GHSA).

Why it matters

This is an authenticated command execution path embedded in an agent-integration preview flow. Any compromised or misused low-privilege proxy key could be leveraged to spawn attacker‑controlled processes on the proxy host, running with the proxy process’s effective privileges (LiteLLM advisory).

In stacks where AI agents rely on MCP servers bridged through a proxy, a “test connection” call becomes a host‑level execution primitive when stdio is accepted verbatim — a sharp deviation from the principle of least privilege. Enforcing an admin‑only role on these endpoints closes that gap, but environments that lag upgrades remain exposed to authenticated abuse (advisory details).

Technical detail

• Functionality: The preview endpoints allowed submitting a full MCP server configuration, including stdio transport parameters command, args, and env. When invoked with stdio, the proxy attempted to connect, which directly spawned the provided command on the host (GHSA disclosure).
• AuthZ gap: Access required only a valid proxy API key; there was no role check, meaning low‑privilege internal‑user tokens could trigger process execution via these test endpoints (GHSA-v4p8-mg3p-g94g).
• Privilege context: The spawned subprocess executed with the privileges of the proxy process, expanding impact beyond configuration read/write into arbitrary command execution on the proxy host (advisory impact).
• Remediation: Version 1.83.7 requires the PROXY_ADMIN role for both test endpoints, bringing them in line with the save endpoint’s stricter authorization (fixed in 1.83.7).
• Interim controls: Block POST /mcp-rest/test/connection and /mcp-rest/test/tools/list at your reverse proxy or API gateway until you can upgrade (workaround from GHSA).

Practical exploit path:

1) Obtain or possess any valid proxy API key (including internal-user scope). 2) Send a POST to /mcp-rest/test/connection (or /mcp-rest/test/tools/list) with a stdio MCP config specifying attacker-chosen command, optional args, and env. 3) The proxy attempts a connection and spawns the supplied process on the host with its own privileges (exploit mechanics per GHSA).

Defense

• Upgrade now: Move to LiteLLM 1.83.7+ to enforce PROXY_ADMIN on both test endpoints and align preview flows with privileged operations (upgrade per advisory).
• Immediate containment: Block POST /mcp-rest/test/connection and /mcp-rest/test/tools/list at your reverse proxy or API gateway if upgrade is delayed (documented workaround).
• Access control: Scope API keys tightly; don’t distribute internal-user keys beyond necessity. Treat any key that could hit these endpoints as sensitive and rotate if misuse is suspected (GHSA context).
• Runtime hardening: Run the proxy under least privilege and isolated from sensitive host resources. Limit what a spawned subprocess could access if an authenticated endpoint is abused.
• Monitoring: Alert on POST traffic to /mcp-rest/test/connection and /mcp-rest/test/tools/list, and on proxy‑owned child process creation events that align with recent test calls. This correlates control-plane misuse with data-plane execution.

Lyrie Verdict

Preview endpoints that execute stdio configs are rogue‑agent accelerants: they convert a routine “test” into host‑level process launch for anyone with a proxy key (GHSA-v4p8-mg3p-g94g). Lyrie instruments the agent perimeter to respond at machine speed: correlate POSTs to /mcp-rest/test/* with immediate child‑process spawns by the proxy, auto‑revoke the calling token, kill the process tree, and quarantine the proxy container before persistence lands. This closes the gap between authenticated misuse and operator awareness — the window this bug exploited.