Interpretation Conflict Affecting litellm-1.82 package, versions <1.82.3-r1


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.18% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-LITELLM182-17741682
  • published1 Jul 2026
  • disclosed22 Jun 2026

Introduced: 22 Jun 2026

NewCVE-2026-53538  (opens in a new tab)
CWE-436  (opens in a new tab)
CWE-444  (opens in a new tab)

How to fix?

Upgrade Minimos:latest litellm-1.82 to version 1.82.3-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream litellm-1.82 package and not the litellm-1.82 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

CVSS Base Scores

version 3.1