Attack Chain

1. The attacker identifies a vulnerable LiteLLM instance running a version prior to 1.81.0.
2. The attacker crafts a malicious HTTP request targeting either the /key/block or /key/unblock endpoint.
3. The crafted request includes a SQL injection payload within the key parameter, designed for time-based blind injection.
4. The LiteLLM application processes the request without proper sanitization, executing the injected SQL code against the underlying database.
5. The attacker monitors the response time of the server. The time delay is used to infer the results of the SQL query due to the blind nature of the injection.
6. Through repeated requests and refined payloads, the attacker progressively extracts database contents, such as usernames, passwords, and API keys.
7. The attacker uses extracted credentials to gain unauthorized access to other services or resources.
8. The attacker may read files from the server.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2025-45809) could allow an unauthenticated attacker to steal sensitive database contents, including API keys and user credentials. While the CVSS score is rated as medium (5.4), the impact can be high if the compromised data grants access to critical systems or exposes sensitive customer information. Organizations using affected versions of LiteLLM are urged to apply the necessary patches or mitigations to prevent potential data breaches and unauthorized access.

Recommendation

• Upgrade LiteLLM to version 1.81.0 or later to remediate CVE-2025-45809.
• Implement input validation on the key parameter in the /key/block and /key/unblock endpoints.
• Deploy a Web Application Firewall (WAF) to filter out requests containing SQL injection patterns, as recommended in the advisory.
• Monitor web server logs for suspicious activity targeting the /key/block and /key/unblock endpoints to detect potential exploitation attempts (see webserver log source in the rules below).