Homepage

litellm@1.46.5 vulnerabilities

Library to easily interface with LLM API providers

  • latest version

    1.80.10

  • latest non vulnerable version

    1.80.10

  • first published

    2 years ago

  • latest version published

    4 hours ago

  • licenses detected

  • View litellm package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the litellm package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Insertion of Sensitive Information into Externally-Accessible File or Directory

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to incomplete masking of OCI secret fields in responses from the /models and /v1/models endpoints. An attacker can obtain sensitive OCI credentials (such as key, tenancy, fingerprint, and key_file).

    How to fix Insertion of Sensitive Information into Externally-Accessible File or Directory?

    Upgrade litellm to version 1.77.7 or higher.

    [,1.77.7)
    • M
    Insertion of Sensitive Information into Log File

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the get_redirect_response_from_openid and forward_upstream_to_client functions. An attacker can obtain sensitive authentication credentials such as plaintext jwt_token and related data.

    How to fix Insertion of Sensitive Information into Log File?

    Upgrade litellm to version 1.77.7 or higher.

    [,1.77.7)
    • M
    Missing Authentication for Critical Function

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function via sensitive in-memory cache debug endpoints. An unauthenticated attacker can access sensitive cached information by accessing the /memory-usage-in-mem-cache and /memory-usage-in-mem-cache-items routes.

    How to fix Missing Authentication for Critical Function?

    Upgrade litellm to version 1.76.3 or higher.

    [,1.76.3)
    • H
    Incorrect Authorization

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Authorization via incomplete role-based checks in the _check_proxy_admin_viewer_access function. An attacker can modify user credentials by sending crafted requests to endpoints such as /key/generate, /key/update when assigned with the PROXY_ADMIN_VIEW_ONLY role.

    How to fix Incorrect Authorization?

    Upgrade litellm to version 1.77.1 or higher.

    [,1.77.1)
    • M
    SQL Injection

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to SQL Injection via spend_management_endpoints.py. An attacker could potentially inject malicious SQL code through unsanitized input, leading to unauthorized data access or manipulation.

    How to fix SQL Injection?

    Upgrade litellm to version 1.67.4.dev1 or higher.

    [,1.67.4.dev1)
    • H
    Incorrect Permission Assignment for Critical Resource

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource on the Azure OpenAI route. The get_model_from_request() function does not necessarily enforce access restrictions, when an attacker specifies the target model as a URL parameter and not in the payload of the request.

    How to fix Incorrect Permission Assignment for Critical Resource?

    Upgrade litellm to version 1.64.1 or higher.

    [,1.64.1)
    • H
    Denial of Service (DoS)

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Denial of Service (DoS) through the use of ast.literal_eval to parse user input.

    How to fix Denial of Service (DoS)?

    Upgrade litellm to version 1.53.1 or higher.

    [,1.53.1)
    • H
    Improper Authorization

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Improper Authorization due to the overly privileged API key assigned to internal_user_viewer roles. An attacker can escalate privileges within the application by accessing administrative functions such as /users/list and /users/get_users.

    How to fix Improper Authorization?

    Upgrade litellm to version 1.61.15 or higher.

    [,1.61.15)
    • H
    Allocation of Resources Without Limits or Throttling

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the processing of multipart boundaries in HTTP requests. An attacker can cause excessive resource consumption and render the service unavailable by appending characters to the end of a multipart boundary.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade litellm to version 1.56.2 or higher.

    [,1.56.2)
    • H
    Arbitrary Command Injection

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Arbitrary Command Injection through the post_call_rules configuration. An attacker can execute arbitrary commands by setting a system method, such as os.system, as a callback, which is executed when a chat response is processed.

    How to fix Arbitrary Command Injection?

    Upgrade litellm to version 1.65.5 or higher.

    [,1.65.5)
    • H
    Exposure of Sensitive Information Through Metadata

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata due to an issue in proxy_server.py. An attacker can obtain sensitive information, including API keys, by triggering error conditions during the parsing of team settings.

    How to fix Exposure of Sensitive Information Through Metadata?

    Upgrade litellm to version 1.65.5 or higher.

    [,1.65.5)
    • H
    Incorrect Permission Assignment for Critical Resource

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the generate_key_fn() function, which allows a user with the Internal role to change the keys of another user whose user_id they know. An attacker can escalate privileges via the /key/update.

    How to fix Incorrect Permission Assignment for Critical Resource?

    Upgrade litellm to version 1.60.4 or higher.

    [,1.60.4)
    • M
    SQL Injection

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to SQL Injection through the /team/update process. An attacker can extract or manipulate sensitive data by injecting malicious SQL commands into the user_id parameter.

    How to fix SQL Injection?

    Upgrade litellm to version 1.49.6 or higher.

    [,1.49.6)
    Go back to all versions of this package