External Control of File Name or Path Affecting litellm package, versions [,1.83.10)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.26% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-LITELLM-17900526
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditUnknown

Introduced: 8 Jul 2026

NewCVE-2026-59819  (opens in a new tab)
CWE-73  (opens in a new tab)

How to fix?

Upgrade litellm to version 1.83.10 or higher.

Overview

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to External Control of File Name or Path via request-supplied OIDC file references through the /health/test_connection handler in litellm/proxy/health_endpoints/_health_endpoints.py and litellm/secret_managers/main.py. An attacker with privileged access to the proxy can read arbitrary local files by sending a litellm_params payload that points an oidc/file/ secret reference at a filesystem path such as /etc/passwd or another credential file. This exposes file contents to the caller during connection testing, letting a proxy administrator or other authorized model-connection tester retrieve secrets from the host filesystem instead of only using server-managed credential locations.

Notes

  • oidc/file/ resolution is constrained to standard credential mount locations by default (/var/run/secrets and /run/secrets). Deployments that store OIDC material elsewhere need to set LITELLM_OIDC_ALLOWED_CREDENTIAL_DIRS to include those absolute directories, or those reads are rejected.
  • The affected request path includes nested litellm_params/metadata fields in the connection-test flow, so the file-reference handling is not limited to a single top-level parameter location.

CVSS Base Scores

version 4.0
version 3.1