CVE-2026-35029 – CVE Helper

README.md
Rendering markdown...
POC / docker-compose.yml YML
⬇ Raw GitHub ✕ Close
networks:
  default:
    name: cve-2026-35029-net

services:
  # ── PostgreSQL Database (required by LiteLLM's DATABASE_URL) ──────────
  db:
    image: postgres:15-alpine
    container_name: litellm-db-35029
    environment:
      POSTGRES_DB: production
      POSTGRES_USER: admin
      POSTGRES_PASSWORD: SuperSecretPassword123
    ports:
      - "5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U admin -d production"]
      interval: 5s
      timeout: 3s
      retries: 10
    networks:
      default:
        aliases:
          - db.internal

  # ── Attacker's Exfiltration Server ──────────────────────────────────
  exfil-server:
    build: ./exfil-server
    container_name: exfil-server
    ports:
      - "9999:9999"
    networks:
      - default
    restart: unless-stopped

  # ── Vulnerable LiteLLM (v1.81.x — before /config/update role check) ─
  # Pinned to the Jan 24, 2026 build via digest. Do NOT change to
  # main-v1.81.0-stable (mutable tag — may be rebuilt with fixes).
  litellm-vuln:
    image: ghcr.io/berriai/litellm@sha256:5beb4ea641e414d2034ac4a42b72bcb3bde7d64908486bd2eba652c72cf091d9
    container_name: litellm-cve-35029-vuln
    ports:
      - "4000:4000"
    environment:
      - LITELLM_MASTER_KEY=sk-litellm-master-key
      - DATABASE_URL=postgresql://admin:[email protected]:5432/production
      - STORE_MODEL_IN_DB=True
      - AWS_SECRET_ACCESS_KEY=AKIA1234567890EXAMPLE
      - OPENAI_API_KEY=sk-openai-secret-key-leaked
      - LANGFUSE_PUBLIC_KEY=-----BEGIN CERTIFICATE-----\nMIIBkzCCAT2gAwIBAgIEMQ...\n-----END CERTIFICATE-----
      - LANGFUSE_SECRET_KEY=sk-langfuse-secret-abcdef123456
    volumes:
      - ./litellm_config.yaml:/app/config.yaml:ro
    depends_on:
      db:
        condition: service_healthy
      exfil-server:
        condition: service_started
    networks:
      - default
    restart: unless-stopped

  # ── Fixed LiteLLM (v1.83.0+ — patched) ─────────────────────────────
  litellm-fixed:
    image: ghcr.io/berriai/litellm:v1.83.10-stable
    container_name: litellm-cve-35029-fixed
    ports:
      - "4001:4000"
    environment:
      - LITELLM_MASTER_KEY=sk-litellm-master-key
      - DATABASE_URL=postgresql://admin:[email protected]:5432/production
      - STORE_MODEL_IN_DB=True
      - AWS_SECRET_ACCESS_KEY=AKIA1234567890EXAMPLE
      - OPENAI_API_KEY=sk-openai-secret-key-leaked
    volumes:
      - ./litellm_config.yaml:/app/config.yaml:ro
    profiles:
      - fixed
    depends_on:
      db:
        condition: service_healthy
      exfil-server:
        condition: service_started
    networks:
      - default
    restart: unless-stopped