Buffer Over-read Affecting litellm-1.84 package, versions <1.84.3-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.45% (37th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-LITELLM184-17334405
  • published14 Jun 2026
  • disclosed14 Jul 2026

Introduced: 14 Jun 2026

CVE-2026-49854  (opens in a new tab)
CWE-126  (opens in a new tab)

How to fix?

Upgrade Minimos:latest litellm-1.84 to version 1.84.3-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream litellm-1.84 package and not the litellm-1.84 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.

CVSS Base Scores

version 3.1