chore(deps): update dependency litellm to v1.84.0 [security]#434
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency litellm to v1.84.0 [security]#434renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
For team members: test commit |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
e3ca177 to
8ed886d
Compare
|
For team members: test commit |
|
For team members: test commit |
8ed886d to
3e2e194
Compare
|
For team members: test commit |
3e2e194 to
d21bbcf
Compare
|
For team members: test commit |
Contributor
|
This got updated to renovate to an upgrade to 1.85. 1.85 is noisy unless you have botocore installed (and unnecessarily slow to import if you do) While the warnings are harmless, I think we'll hold off on this for a bit - the security issues are not relevant to us. |
d21bbcf to
1f333de
Compare
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1f333de to
d7ae09f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.83.0→1.84.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
CVE-2026-42203 / GHSA-xqmj-j6mv-4862
More information
Details
Impact
The
POST /prompts/testendpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.
Proxy deployments running an affected version are in scope.
Patches
The issue is fixed in
1.83.7-stable. The fix switches the prompt template renderer to a sandboxed environment that blocks the attributes this attack relies on.LiteLLM recommends upgrading to
1.83.7-stableor later.Workarounds
If upgrading is not immediately possible:
POST /prompts/testat your reverse proxy or API gateway.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM has SQL Injection in Proxy API key verification
CVE-2026-42208 / GHSA-r75f-5x8p-qvmc
More information
Details
Impact
A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted
Authorizationheader to any LLM API route (for examplePOST /chat/completions) and reach this query through the proxy's error-handling path.An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages.
Patches
Fixed in
1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to1.83.7or later.Workarounds
If upgrading is not immediately possible, set
disable_error_logs: trueundergeneral_settings. This removes the path through which unauthenticated input reaches the vulnerable query.References
v1.83.7-stableDiscovery Credit: Tencent YunDing Security Lab
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM: Authenticated command execution via MCP stdio test endpoints
CVE-2026-42271 / GHSA-v4p8-mg3p-g94g
More information
Details
Impact
Two endpoints used to preview an MCP server before saving it —
POST /mcp-rest/test/connectionandPOST /mcp-rest/test/tools/list— accepted a full server configuration in the request body, including thecommand,args, andenvfields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.
Patches
Fixed in
1.83.7. Both test endpoints now require thePROXY_ADMINrole, bringing them into line with the save endpoint.Workarounds
If upgrading is not immediately possible, developers should block
POST /mcp-rest/test/connectionandPOST /mcp-rest/test/tools/listat their reverse proxy or API gateway.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM has a sandbox escape in custom-code guardrail
CVE-2026-40217 / GHSA-wxxx-gvqv-xp7p
More information
Details
Impact
The
POST /guardrails/test_custom_codeendpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.Reaching the endpoint requires a proxy-admin credential in default configurations.
Patches
Fixed in
1.83.11. The hand-rolled sandbox has been replaced withRestrictedPython. Upgrade to1.83.11or later.Workarounds
If upgrading is not immediately possible, block
POST /guardrails/test_custom_codeat your reverse proxy or API gateway.References
v1.83.10-stableSeverity
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM: Authentication Bypass via Host Header Injection
CVE-2026-49468 / GHSA-4xpc-pv4p-pm3w
More information
Details
Impact
A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes.
The auth layer derived the effective route from
request.url.pathinlitellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from theHostheader. A craftedHostcould therefore make the auth gate evaluate a different route from the one FastAPI dispatched.Most deployments are not affected. The bypass is blocked by any upstream layer that validates or normalizes
Host, such as:server_nameallowlistsLiteLLM Cloud customers are not affected.
Patches
Fixed in
1.84.0. Upgrade to1.84.0or later. No configuration change is required.Workarounds
If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the
Hostheader before forwarding (a CDN/WAF, a reverse proxy with explicitserver_nameallowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener.References
v1.84.0Discovery Credit: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
CVE-2026-47101 / GHSA-qrc4-49gv-mv9m
More information
Details
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM allows a user to modify their own user_role via the /user/update endpoint
CVE-2026-47102 / GHSA-wpfp-gwwc-vwq6
More information
Details
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
BerriAI/litellm (litellm)
v1.84.0Verify Docker Image Signature
All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit
0112e53.Verify using the pinned commit hash (recommended):
A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:
Verify using the release tag (convenience):
Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:
Expected output:
What's Changed
New Contributors
Full Changelog: BerriAI/litellm@v1.83.14-stable.patch.3...v1.84.0
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.