litellm

PyPI17 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting litellmpage 1 of 1

CVE-2024-10188HIGHCVSS 7.5EG 7.5✓ Fixed in 1.53.1.dev1
2025-03-20
vulnerable: 0.1.0 ... 1.9.dev0 (1007 versions)
A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks,…
CVE-2024-2952CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.34.42
2024-04-10
vulnerable: 0.1.0 ... 1.9.dev0 (752 versions)
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` f…
CVE-2024-4264CRITICALCVSS 9.8EG 7.2
2024-05-18
vulnerable: 0.1.0 ... 1.9.dev0 (649 versions)
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server…
CVE-2024-4888HIGHCVSS 8.1EG 8.1✓ Fixed in 1.35.36
2024-06-06
vulnerable: 0.1.0 ... 1.9.dev0 (789 versions)
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request …
CVE-2024-4890MEDIUMCVSS 4.9EG 4.9
2024-06-06
vulnerable: 0.1.0 ... 1.9.dev0 (635 versions)
A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for d…
CVE-2024-5225HIGHCVSS 7.2EG 7.2✓ Fixed in 1.40.0
2024-06-06
vulnerable: 0.1.0 ... 1.9.dev0 (831 versions)
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affecte…
CVE-2024-5710MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.40.15
2024-06-27
vulnerable: 0.1.0 ... 1.9.dev0 (847 versions)
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and…
CVE-2024-5751CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.40.16
2024-06-27
vulnerable: 0.1.0 ... 1.9.dev0 (848 versions)
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assig…
CVE-2024-6587HIGHCVSS 7.5EG 7.5✓ Fixed in 1.44.8
2024-09-13
vulnerable: 0.1.0 ... 1.9.dev0 (925 versions)
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to …
CVE-2024-9606HIGHCVSS 7.5EG 7.5✓ Fixed in 1.44.12
2025-03-20
vulnerable: 0.1.0 ... 1.9.dev0 (929 versions)
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost…
CVE-2025-0628HIGHCVSS 8.1EG 8.1✓ Fixed in 1.61.15
2025-03-20
vulnerable: 0.1.0 ... 1.9.dev0 (1092 versions)
An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be …
CVE-2026-35029HIGHCVSS 8.8EG 8.8✓ Fixed in 1.83.0
2026-04-06
vulnerable: 0.1.0 ... 1.9.dev0 (1284 versions)
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then us…
CVE-2026-35030CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.83.0
2026-04-06
vulnerable: 0.1.0 ... 1.9.dev0 (1284 versions)
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produc…
CVE-2026-40217HIGHCVSS 8.8EG 8.8✓ Fixed in 1.83.10
2026-04-10
vulnerable: 1.81.10 ... 1.83.9 (27 versions)
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
CVE-2026-42203HIGHCVSS 8.8EG 8.8✓ Fixed in 1.83.7
2026-05-08
vulnerable: 1.80.10 ... 1.83.6 (43 versions)
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxin…
CVE-2026-42208CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 1.83.7
2026-05-08
vulnerable: 1.81.16 ... 1.83.6 (15 versions)
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text …
CVE-2026-42271HIGHCVSS 8.8EG 8.8✓ Fixed in 1.83.7
2026-05-08
vulnerable: 1.74.12 ... 1.83.6 (107 versions)
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /m…

Check whether litellm is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for litellm CVEs against the assets you own.

Start Free Scan →