[Critical Security] Remote Code Execution (RCE) Vulnerability Detected

[devlin9824]

Hello maintainers,

I am a security researcher and I have identified a Critical vulnerability (Remote Code Execution) in this repository. The vulnerability allows an attacker to execute arbitrary system commands on the server running optillm via specific inputs.

I have verified this with a working Proof of Concept (PoC).

To prevent potential exploitation by malicious actors, I have not included the technical details or the vulnerable module name in this public issue.

Action Requested: Please provide a private communication channel (email or GitHub Security Advisory) so I can share the full report and the PoC safely.

Best regards.

[codelion]

I have enabled private security vulnerability reporting in the repository you can use that to send the details. Just a note, the threat model for this project is based on allowing code execution with dynamically loaded plugins and as such the proxy is not meant to be run exposed to the internet to allow arbitrary user inputs.