litellm@1.83.5

Library to easily interface with LLM API providers

  • latest version

    1.94.0.dev1

  • first published

    2 years ago

  • latest version published

    3 hours ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the litellm package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Authentication Bypass Using an Alternate Path or Channel

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the OAuth2 passthrough fallback in MCPRequestHandler.process_mcp_request in litellm/proxy/_experimental/mcp_server/auth/mcp_request_handler.py. An attacker can establish an authenticated MCP session without a valid LiteLLM key by sending a fabricated Authorization bearer token to an MCP route. When user_api_key_auth rejected the header with a 401 or 403, the handler replaced the failure with an anonymous UserAPIKeyAuth() object instead of denying the request. That lets the attacker reach MCP tooling and use connected upstream services exposed through MCP, breaking access control for deployed MCP endpoints.

    Notes

    • The bypass only applies on MCP transport routes that rely on the Authorization header for LiteLLM auth; requests with an explicit x-litellm-api-key follow the normal validation path instead of the OAuth2 passthrough fallback.
    • Mixed-target MCP requests are affected as a group: if a request names multiple servers via x-mcp-servers, a single non-oauth2 target is enough to make the fallback unsafe and the auth failure propagates instead of being downgraded to anonymous passthrough.

    Workarounds

    • Disable MCP routes, or block access to /mcp/ and related MCP endpoints at your reverse proxy or API gateway, to prevent unauthenticated requests from reaching MCP tooling.

    How to fix Authentication Bypass Using an Alternate Path or Channel?

    Upgrade litellm to version 1.84.0 or higher.

    [,1.84.0)
    • M
    Directory Traversal

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Directory Traversal via path traversal in the skill archive extraction logic in SkillPromptInjectionHandler and SkillsSandboxExecutor. An authenticated user with access to the Skills API, or a key allowed to call /v1/skills, anthropic_routes, or llm_api_routes, can upload a crafted ZIP archive with ../ or absolute-path entries to make extraction write files outside the intended staging directory. That lets the attacker overwrite files on the host, which can corrupt the deployment or place executable content in writable locations and lead to code execution depending on the runtime environment and filesystem permissions.

    Notes

    • The archive extraction path handling is only exercised when a skill ZIP is processed for execution, so deployments that expose Skills upload/processing through /v1/skills, anthropic_routes, or llm_api_routes are the relevant exposure points; ordinary LiteLLM use without those routes is not in scope.
    • The write primitive depends on the staging directory being used to materialize extracted files on disk, so impact is constrained by the runtime’s filesystem permissions and whatever writable locations the LiteLLM process can reach.

    Workarounds

    • Block POST /v1/skills at your reverse proxy or API gateway to prevent uploading crafted skill archives that can trigger the path traversal write.
    • Restrict Skills API access to trusted users only to limit who can submit malicious ZIP archives through /v1/skills, anthropic_routes, or llm_api_routes.

    How to fix Directory Traversal?

    Upgrade litellm to version 1.83.7 or higher.

    [,1.83.7)
    • M
    External Control of File Name or Path

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to External Control of File Name or Path via request-supplied OIDC file references through the /health/test_connection handler in litellm/proxy/health_endpoints/_health_endpoints.py and litellm/secret_managers/main.py. An attacker with privileged access to the proxy can read arbitrary local files by sending a litellm_params payload that points an oidc/file/ secret reference at a filesystem path such as /etc/passwd or another credential file. This exposes file contents to the caller during connection testing, letting a proxy administrator or other authorized model-connection tester retrieve secrets from the host filesystem instead of only using server-managed credential locations.

    Notes

    • oidc/file/ resolution is constrained to standard credential mount locations by default (/var/run/secrets and /run/secrets). Deployments that store OIDC material elsewhere need to set LITELLM_OIDC_ALLOWED_CREDENTIAL_DIRS to include those absolute directories, or those reads are rejected.
    • The affected request path includes nested litellm_params/metadata fields in the connection-test flow, so the file-reference handling is not limited to a single top-level parameter location.

    How to fix External Control of File Name or Path?

    Upgrade litellm to version 1.83.10 or higher.

    [,1.83.10)
    • M
    Incorrect Authorization

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Authorization in the BannedKeywords enterprise and AzureContentSafety hooks of the Completions Interface. An attacker can gain unauthorized access to restricted resources and potentially disclose or modify sensitive information by manipulating the prompt parameter remotely.

    How to fix Incorrect Authorization?

    Upgrade litellm to version 1.85.0rc2 or higher.

    [,1.85.0rc2)
    • M
    Server-side Request Forgery (SSRF)

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the load_openapi_spec_async() function of the MCP OpenAPI Spec Loader component when processing the spec_path argument. An attacker can access internal resources or services by supplying crafted URLs to the vulnerable parameter.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade litellm to version 1.84.0 or higher.

    [,1.84.0)
    • M
    Incorrect Privilege Assignment

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the /user/filter/ui endpoint. An attacker can gain unauthorized access to user information by sending crafted requests with insufficient authorization checks.

    How to fix Incorrect Privilege Assignment?

    Upgrade litellm to version 1.88.0rc1 or higher.

    [,1.88.0rc1)
    • M
    Insufficient Session Expiration

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Insufficient Session Expiration in the get_redirect_response_from_openid() function of the SSO Authentication Flow process. An attacker can cause premature session termination by manipulating authentication responses remotely, potentially leading to unauthorized session expiration and disruption of user access.

    How to fix Insufficient Session Expiration?

    There is no fixed version for litellm.

    [0,)
    • M
    Missing Authentication for Critical Function

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the /sso/debug/login and /sso/debug/callback endpoints in the SSO Debug Flow. An attacker can gain unauthorized access and potentially manipulate sensitive information by sending crafted requests to the affected endpoint.

    How to fix Missing Authentication for Critical Function?

    There is no fixed version for litellm.

    [0,)
    • M
    Server-side Request Forgery (SSRF)

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /v1/mcp/test/connection endpoint. An attacker can perform server-side request forgery (SSRF) by supplying a crafted token_url and arbitrary Machine-to-Machine (M2M) credentials to the connection testing endpoint. Due to incomplete validation of OAuth M2M flows, the proxy issues HTTP POST requests to attacker-controlled destinations, allowing internal network reconnaissance and potentially triggering unauthorized actions on reachable services.

    Note: Exploitation requires an authenticated user with access to the /v1/mcp/test/connection (or /mcp-rest/test/connection) endpoint.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade litellm to version 1.84.0.dev2 or higher.

    [,1.84.0.dev2)
    • L
    Incorrect Authorization

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Authorization in the user_api_key_auth.py file of the M2M JWT Handler. An attacker can gain unauthorized access to resources by exploiting insufficient authorization checks.

    Note: This is only exploitable if the attacker possesses valid but limited credentials and can craft specific JWTs to bypass intended access controls.

    How to fix Incorrect Authorization?

    Upgrade litellm to version 1.89.0rc1 or higher.

    [,1.89.0rc1)
    • H
    Insufficient Session Expiration

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Insufficient Session Expiration in the authenticate_user function. An attacker can gain unauthorized access or maintain access to sensitive information by exploiting session management flaws.

    How to fix Insufficient Session Expiration?

    There is no fixed version for litellm.

    [0,)
    • C
    User Impersonation

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to User Impersonation via manipulation of the Host header during HTTP requests. An attacker can gain unauthorized access to protected management routes by crafting a malicious Host header that causes the authentication layer to evaluate a different route than intended.

    Note: This is only exploitable if there is no upstream component (such as a CDN, WAF, reverse proxy with explicit server name allowlists, or host-based load balancer) validating or normalizing the Host header before forwarding requests.

    How to fix User Impersonation?

    Upgrade litellm to version 1.84.0 or higher.

    [,1.84.0)
    • H
    Incorrect Authorization

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Authorization via the allowed_routes field during API key generation. An attacker can gain unauthorized access to restricted routes by specifying routes outside their permitted scope, thereby bypassing role-based access controls.

    How to fix Incorrect Authorization?

    Upgrade litellm to version 1.83.14 or higher.

    [,1.83.14)
    • H
    Incorrect Authorization

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Incorrect Authorization via the /user/update endpoint. An attacker can gain full administrative access by modifying their own user_role field to proxy_admin to escalate privileges.

    How to fix Incorrect Authorization?

    Upgrade litellm to version 1.83.10 or higher.

    [,1.83.10)
    • C
    SQL Injection

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to SQL Injection via the token lookup query in the combined view path. An attacker can extract or manipulate records by supplying a crafted token value that is interpolated directly into the WHERE v.token = '{token}' clause. This affects the proxy’s combined-view token resolution logic and can expose or alter tenant-scoped data returned by the database query.

    Workarounds

    • Set disable_error_logs: true under general_settings to prevent unauthenticated input from reaching the vulnerable proxy API key verification query path.

    How to fix SQL Injection?

    Upgrade litellm to version 1.83.7 or higher.

    [1.81.16,1.83.7)
    • H
    Improper Neutralization of Special Elements Used in a Template Engine

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them without sandboxing. An attacker can execute arbitrary code within the server process by submitting a crafted template after authenticating with a valid proxy API key. This may expose sensitive environment variables or allow commands to be executed on the host.

    How to fix Improper Neutralization of Special Elements Used in a Template Engine?

    Upgrade litellm to version 1.83.7 or higher.

    [1.80.5,1.83.7)
    • H
    Command Injection

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Command Injection via preview MCP server endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. An attacker can execute arbitrary commands by accessing the publicly exposed MCP management interface and configuring the server with attacker-controlled commands and arguments.

    How to fix Command Injection?

    Upgrade litellm to version 1.83.7 or higher.

    [1.74.2,1.83.7)
    • H
    Arbitrary Code Injection

    litellm is a Library to easily interface with LLM API providers

    Affected versions of this package are vulnerable to Arbitrary Code Injection in the /guardrails/test_custom_code endpoint through bytecode rewriting. An attacker can execute arbitrary code by sending specially crafted requests to this endpoint.

    How to fix Arbitrary Code Injection?

    Upgrade litellm to version 1.83.9 or higher.

    [,1.83.9)