litellm 1.61.4 vulnerabilities

Known vulnerabilities in the litellm package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Incorrect Permission Assignment for Critical Resource litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource on the Azure OpenAI route. The `get_model_from_request()` function does not necessarily enforce access restrictions, when an attacker specifies the target model as a URL parameter and not in the payload of the request. How to fix Incorrect Permission Assignment for Critical Resource? Upgrade `litellm` to version 1.64.1 or higher.	[,1.64.1)
H Improper Authorization litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Improper Authorization due to the overly privileged API key assigned to `internal_user_viewer` roles. An attacker can escalate privileges within the application by accessing administrative functions such as `/users/list` and `/users/get_users`. How to fix Improper Authorization? Upgrade `litellm` to version 1.61.15 or higher.	[,1.61.15)
H Arbitrary Command Injection litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Arbitrary Command Injection through the `post_call_rules` configuration. An attacker can execute arbitrary commands by setting a system method, such as `os.system`, as a callback, which is executed when a chat response is processed. How to fix Arbitrary Command Injection? Upgrade `litellm` to version 1.65.5 or higher.	[,1.65.5)
H Exposure of Sensitive Information Through Metadata litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata due to an issue in `proxy_server.py`. An attacker can obtain sensitive information, including API keys, by triggering error conditions during the parsing of team settings. How to fix Exposure of Sensitive Information Through Metadata? Upgrade `litellm` to version 1.65.5 or higher.	[,1.65.5)

Vulnerability

Vulnerable Version

Incorrect Permission Assignment for Critical Resource

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource on the Azure OpenAI route. The get_model_from_request() function does not necessarily enforce access restrictions, when an attacker specifies the target model as a URL parameter and not in the payload of the request.

How to fix Incorrect Permission Assignment for Critical Resource?

Upgrade litellm to version 1.64.1 or higher.

[,1.64.1)

Improper Authorization

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to Improper Authorization due to the overly privileged API key assigned to internal_user_viewer roles. An attacker can escalate privileges within the application by accessing administrative functions such as /users/list and /users/get_users.

How to fix Improper Authorization?

Upgrade litellm to version 1.61.15 or higher.

[,1.61.15)

Arbitrary Command Injection

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to Arbitrary Command Injection through the post_call_rules configuration. An attacker can execute arbitrary commands by setting a system method, such as os.system, as a callback, which is executed when a chat response is processed.

How to fix Arbitrary Command Injection?

Upgrade litellm to version 1.65.5 or higher.

[,1.65.5)

Exposure of Sensitive Information Through Metadata

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata due to an issue in proxy_server.py. An attacker can obtain sensitive information, including API keys, by triggering error conditions during the parsing of team settings.

How to fix Exposure of Sensitive Information Through Metadata?

Upgrade litellm to version 1.65.5 or higher.

[,1.65.5)

litellm@1.61.4 vulnerabilities

Library to easily interface with LLM API providers

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?