Add cve-2026-42208 detection module (SQLi in LiteLLM)#1557
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughThis PR adds a new Nettacker vulnerability module for CVE-2026-42208, a pre-authentication SQL injection issue in LiteLLM proxy, and registers it in the module catalog. ChangesCVE-2026-42208 SQL Injection Detection Module
Estimated code review effort: 1 (Trivial) | ~5 minutes Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The linked issue must be assigned to the PR author. |
|
@coderabbitai full review |
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@nettacker/modules/vuln/litellm_cve_2026_42208.yaml`:
- Around line 51-57: The timing-only match in the response conditions can
produce false positives because `responsetime: ">= 6"` is evaluated against raw
latency. Update the LiteLLM CVE template’s response logic to use a baseline
discriminator before trusting the latency threshold, such as a control request
or an additional check alongside the existing `status_code` and `responsetime`
conditions, so the hit depends on the delayed response rather than a naturally
slow 401.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 9b7f4dea-c8fb-477d-b9ef-60b8d9f8d51b
📒 Files selected for processing (2)
docs/Modules.mdnettacker/modules/vuln/litellm_cve_2026_42208.yaml
Proposed change
This PR adds a new detection module for CVE-2026-42208: pre-authentication SQL injection in LiteLLM Proxy.
The module has been thoroughly tested against several official
litellm/litellm-database(Docker Hub) andghcr.io/berriai/litellm-databaseimages:Note: the SQLi payload targets PostgreSQL exclusively, as LiteLLM documentation states PostgreSQL is the only supported database for production deployments.
Closes #1548
Type of change
Checklist
make pre-commitand confirm it didn't generate any warnings/changesmake testand I confirm all tests passed locallydocs/folder