litellm 1.67.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the litellm package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Insertion of Sensitive Information into Externally-Accessible File or Directory litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory due to incomplete masking of OCI secret fields in responses from the `/models` and `/v1/models endpoints`. An attacker can obtain sensitive OCI credentials (such as key, tenancy, fingerprint, and key_file). How to fix Insertion of Sensitive Information into Externally-Accessible File or Directory? Upgrade `litellm` to version 1.77.7 or higher.	[,1.77.7)
M Insertion of Sensitive Information into Log File litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the `get_redirect_response_from_openid` and `forward_upstream_to_client` functions. An attacker can obtain sensitive authentication credentials such as plaintext `jwt_token` and related data. How to fix Insertion of Sensitive Information into Log File? Upgrade `litellm` to version 1.77.7 or higher.	[,1.77.7)
M Missing Authentication for Critical Function litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Missing Authentication for Critical Function via sensitive in-memory cache debug endpoints. An unauthenticated attacker can access sensitive cached information by accessing the `/memory-usage-in-mem-cache` and `/memory-usage-in-mem-cache-items` routes. How to fix Missing Authentication for Critical Function? Upgrade `litellm` to version 1.76.3 or higher.	[,1.76.3)
H Incorrect Authorization litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via incomplete role-based checks in the `_check_proxy_admin_viewer_access` function. An attacker can modify user credentials by sending crafted requests to endpoints such as `/key/generate`, `/key/update` when assigned with the PROXY_ADMIN_VIEW_ONLY role. How to fix Incorrect Authorization? Upgrade `litellm` to version 1.77.1 or higher.	[,1.77.1)
M SQL Injection litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to SQL Injection via the `/key/block` endpoint. A `proxy_admin_viewer` user can retrieve the contents of arbitrary files on the target filesystem by brute forcing them one character at a time. How to fix SQL Injection? Upgrade `litellm` to version 1.74.9.dev2 or higher.	[1.48.18,1.74.9.dev2)
M SQL Injection litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to SQL Injection via `spend_management_endpoints.py`. An attacker could potentially inject malicious SQL code through unsanitized input, leading to unauthorized data access or manipulation. How to fix SQL Injection? Upgrade `litellm` to version 1.67.4.dev1 or higher.	[,1.67.4.dev1)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information into Externally-Accessible File or Directory