{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/litellm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["litellm"],"_cs_severities":["critical"],"_cs_tags":["sqli","litellm","web-application"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eA critical SQL injection vulnerability has been identified in LiteLLM, specifically affecting versions 1.81.16 through 1.83.6. The vulnerability resides within the proxy API key verification process. Due to improper sanitization of the \u003ccode\u003eAuthorization\u003c/code\u003e header, an unauthenticated attacker can inject arbitrary SQL commands. This is achieved by sending a specially crafted header to any LLM API route, such as \u003ccode\u003ePOST /chat/completions\u003c/code\u003e, which triggers the vulnerable query through the proxy\u0026rsquo;s error-handling mechanism. Defenders should prioritize patching to version 1.83.7 or later to mitigate this risk, or implement the suggested workaround.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP \u003ccode\u003eAuthorization\u003c/code\u003e header to a LiteLLM API endpoint (e.g., \u003ccode\u003e/chat/completions\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy receives the request and extracts the API key from the \u003ccode\u003eAuthorization\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the API key value is directly concatenated into a SQL query string.\u003c/li\u003e\n\u003cli\u003eThe vulnerable SQL query is executed against the proxy\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code to read sensitive data, such as user credentials or API keys, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may further inject SQL code to modify data, potentially granting themselves administrative privileges or compromising other users\u0026rsquo; accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the LiteLLM proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised proxy to access and control connected LLMs, exfiltrate data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to complete compromise of the LiteLLM proxy. Attackers could read or modify sensitive data within the proxy\u0026rsquo;s database, including API keys and credentials. This could lead to unauthorized access to managed LLMs and potentially allow attackers to exfiltrate sensitive data, disrupt services, or gain a foothold for further attacks within the compromised environment. The impact is significant due to the potential for widespread data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.7 or later to patch the SQL injection vulnerability as detailed in the advisory \u003ca href=\"https://github.com/advisories/GHSA-r75f-5x8p-qvmc\"\u003eGHSA-r75f-5x8p-qvmc\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, set \u003ccode\u003edisable_error_logs: true\u003c/code\u003e in the \u003ccode\u003egeneral_settings\u003c/code\u003e configuration to mitigate the risk as described in the advisory \u003ca href=\"https://github.com/advisories/GHSA-r75f-5x8p-qvmc\"\u003eGHSA-r75f-5x8p-qvmc\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious \u003ccode\u003eAuthorization\u003c/code\u003e headers containing SQL injection payloads to detect potential exploitation attempts. Deploy the provided Sigma rule targeting HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-08T12:00:00Z","date_published":"2024-11-08T12:00:00Z","id":"/briefs/2024-11-litellm-sqli/","summary":"A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.","title":"LiteLLM Proxy API Key Verification SQL Injection","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-sqli/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["LiteLLM"],"_cs_severities":["high"],"_cs_tags":["ssti","litellm","template-injection","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in LiteLLM versions 1.80.5 up to, but not including, 1.83.7. This flaw resides within the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, which processes user-supplied prompt templates. Due to insufficient input sanitization, a malicious actor with a valid proxy API key can inject arbitrary code into the template, leading to its execution within the LiteLLM Proxy process. This vulnerability was disclosed on April 24, 2026. Successful exploitation can compromise the proxy\u0026rsquo;s environment, potentially exposing sensitive credentials like provider API keys and database passwords, or allowing arbitrary command execution on the host system. Organizations using affected versions of LiteLLM are at risk. The vulnerability is addressed in version 1.83.7-stable by implementing a sandboxed template renderer.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the LiteLLM proxy server using a valid API key.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious prompt template containing SSTI payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/prompts/test\u003c/code\u003e endpoint, including the crafted template in the request body.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy server receives the request and processes the template without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe SSTI payload executes arbitrary code within the LiteLLM proxy process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to environment variables containing sensitive information, such as API keys and database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed credentials to gain unauthorized access to external services or data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the host system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSTI vulnerability allows attackers to execute arbitrary code within the LiteLLM Proxy process. This can lead to the exposure of sensitive information such as API keys and database credentials, potentially enabling unauthorized access to other systems and data. Furthermore, attackers can execute arbitrary commands on the host, leading to full system compromise. The impact is significant for organizations relying on LiteLLM for managing and routing AI model requests, as it could result in data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version \u003ccode\u003e1.83.7-stable\u003c/code\u003e or later to patch the vulnerability, as this version implements a sandboxed template renderer (see Patches).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block \u003ccode\u003ePOST /prompts/test\u003c/code\u003e at your reverse proxy or API gateway to prevent exploitation attempts (see Workarounds).\u003c/li\u003e\n\u003cli\u003eReview and rotate API keys that should not have access to prompt management routes to limit the potential impact of compromised keys (see Workarounds).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiteLLM SSTI Attempts via /prompts/test\u0026rdquo; to your SIEM to identify potential exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-05T12:00:00Z","date_published":"2024-11-05T12:00:00Z","id":"/briefs/2024-11-litellm-ssti/","summary":"A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.","title":"LiteLLM Server-Side Template Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-11-litellm-ssti/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["litellm"],"_cs_severities":["high"],"_cs_tags":["rce","litellm","command-injection"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eLiteLLM versions 1.74.2 through 1.83.6 are vulnerable to authenticated command execution. Two endpoints, \u003ccode\u003ePOST /mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003ePOST /mcp-rest/test/tools/list\u003c/code\u003e, intended for previewing MCP server configurations, allowed any authenticated user to execute arbitrary commands on the proxy host. This was possible because the endpoints accepted a full server configuration in the request body, including the \u003ccode\u003ecommand\u003c/code\u003e, \u003ccode\u003eargs\u003c/code\u003e, and \u003ccode\u003eenv\u003c/code\u003e fields used by the stdio transport, without proper role checks. An attacker could exploit this vulnerability by using a low-privilege API key to send a crafted request containing malicious commands, leading to command execution with the privileges of the proxy process. The vulnerability was patched in version 1.83.7 by enforcing the \u003ccode\u003ePROXY_ADMIN\u003c/code\u003e role for these endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the LiteLLM proxy with a valid, but low-privilege, API key.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious JSON payload containing a server configuration intended for the stdio transport. The payload includes the \u003ccode\u003ecommand\u003c/code\u003e, \u003ccode\u003eargs\u003c/code\u003e, and \u003ccode\u003eenv\u003c/code\u003e fields, which specify the command to be executed, its arguments, and environment variables, respectively.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to either the \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e or \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoint, with the malicious JSON payload in the request body.\u003c/li\u003e\n\u003cli\u003eThe LiteLLM proxy receives the request and, due to the vulnerability, attempts to connect to the supplied server configuration.\u003c/li\u003e\n\u003cli\u003eThe proxy spawns the supplied command as a subprocess on the proxy host, using the privileges of the proxy process.\u003c/li\u003e\n\u003cli\u003eThe attacker-supplied command executes arbitrary code on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the proxy host with the privileges of the LiteLLM proxy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host running the LiteLLM proxy. Since the vulnerability can be exploited with a low-privilege API key, this significantly broadens the attack surface. Depending on the privileges of the proxy process, this could lead to full system compromise, data exfiltration, or denial of service. The lack of specific victim count or sector targeting information in the advisory suggests a broad potential impact across various deployments of LiteLLM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiteLLM to version 1.83.7 or later to remediate the vulnerability (see Patches).\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block \u003ccode\u003ePOST\u003c/code\u003e requests to the \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoints at your reverse proxy or API gateway (see Workarounds).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/mcp-rest/test/connection\u003c/code\u003e and \u003ccode\u003e/mcp-rest/test/tools/list\u003c/code\u003e endpoints, looking for suspicious \u003ccode\u003ecommand\u003c/code\u003e, \u003ccode\u003eargs\u003c/code\u003e, and \u003ccode\u003eenv\u003c/code\u003e parameters in the request body (see rules below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-litellm-rce/","summary":"Authenticated users with low-privilege API keys could execute arbitrary commands on the host running LiteLLM via the `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` endpoints, by submitting a server configuration including command execution parameters.","title":"LiteLLM Authenticated Command Execution via MCP stdio Test Endpoints","url":"https://feed.craftedsignal.io/briefs/2024-01-litellm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Litellm","version":"https://jsonfeed.org/version/1.1"}