Skip to content

chore(deps): update dependency litellm to v1.84.0 [security]#434

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-litellm-vulnerability
Open

chore(deps): update dependency litellm to v1.84.0 [security]#434
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-litellm-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
litellm 1.83.01.84.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


LiteLLM: Server-Side Template Injection in /prompts/test endpoint

CVE-2026-42203 / GHSA-xqmj-j6mv-4862

More information

Details

Impact

The POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.

The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.

Proxy deployments running an affected version are in scope.

Patches

The issue is fixed in 1.83.7-stable. The fix switches the prompt template renderer to a sandboxed environment that blocks the attributes this attack relies on.

LiteLLM recommends upgrading to 1.83.7-stable or later.

Workarounds

If upgrading is not immediately possible:

  1. Block POST /prompts/test at your reverse proxy or API gateway.
  2. Review and rotate API keys that should not have access to prompt management routes.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


LiteLLM has SQL Injection in Proxy API key verification

CVE-2026-42208 / GHSA-r75f-5x8p-qvmc

More information

Details

Impact

A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path.

An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages.

Patches

Fixed in 1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to 1.83.7 or later.

Workarounds

If upgrading is not immediately possible, set disable_error_logs: true under general_settings. This removes the path through which unauthenticated input reaches the vulnerable query.

References

Discovery Credit: Tencent YunDing Security Lab

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


LiteLLM: Authenticated command execution via MCP stdio test endpoints

CVE-2026-42271 / GHSA-v4p8-mg3p-g94g

More information

Details

Impact

Two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.

The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.

Patches

Fixed in 1.83.7. Both test endpoints now require the PROXY_ADMIN role, bringing them into line with the save endpoint.

Workarounds

If upgrading is not immediately possible, developers should block POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list at their reverse proxy or API gateway.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


LiteLLM has a sandbox escape in custom-code guardrail

CVE-2026-40217 / GHSA-wxxx-gvqv-xp7p

More information

Details

Impact

The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.

Reaching the endpoint requires a proxy-admin credential in default configurations.

Patches

Fixed in 1.83.11. The hand-rolled sandbox has been replaced with RestrictedPython. Upgrade to 1.83.11 or later.

Workarounds

If upgrading is not immediately possible, block POST /guardrails/test_custom_code at your reverse proxy or API gateway.

References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


LiteLLM: Authentication Bypass via Host Header Injection

CVE-2026-49468 / GHSA-4xpc-pv4p-pm3w

More information

Details

Impact

A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes.

The auth layer derived the effective route from request.url.path in litellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from the Host header. A crafted Host could therefore make the auth gate evaluate a different route from the one FastAPI dispatched.

Most deployments are not affected. The bypass is blocked by any upstream layer that validates or normalizes Host, such as:

  • a CDN or WAF, such as Cloudflare
  • a reverse proxy with server_name allowlists
  • a host-based load balancer

LiteLLM Cloud customers are not affected.

Patches

Fixed in 1.84.0. Upgrade to 1.84.0 or later. No configuration change is required.

Workarounds

If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the Host header before forwarding (a CDN/WAF, a reverse proxy with explicit server_name allowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener.

References

Discovery Credit: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)

Severity

  • CVSS Score: 9.5 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit

CVE-2026-47101 / GHSA-qrc4-49gv-mv9m

More information

Details

LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


LiteLLM allows a user to modify their own user_role via the /user/update endpoint

CVE-2026-47102 / GHSA-wpfp-gwwc-vwq6

More information

Details

LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

BerriAI/litellm (litellm)

v1.84.0

⚠️ Heads up — this release contains breaking changes.
Read the full release notes here: v1.84.0 release notes


Verify Docker Image Signature

All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit 0112e53.

Verify using the pinned commit hash (recommended):

A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:

cosign verify \
  --key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
  ghcr.io/berriai/litellm:v1.84.0

Verify using the release tag (convenience):

Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:

cosign verify \
  --key https://raw.githubusercontent.com/BerriAI/litellm/v1.84.0/cosign.pub \
  ghcr.io/berriai/litellm:v1.84.0

Expected output:

The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

What's Changed
New Contributors

Full Changelog: BerriAI/litellm@v1.83.14-stable.patch.3...v1.84.0


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Apr 26, 2026
@renovate renovate Bot requested a review from a team as a code owner April 26, 2026 05:55
@renovate renovate Bot added the security label Apr 26, 2026
@github-actions

Copy link
Copy Markdown

For team members: test commit e3ca177 in internal GitLab

@codecov

codecov Bot commented Apr 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unittests 97.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot changed the title chore(deps): update dependency litellm to v1.83.7 [security] chore(deps): update dependency litellm to v1.83.7 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/pypi-litellm-vulnerability branch April 27, 2026 17:59
@renovate renovate Bot changed the title chore(deps): update dependency litellm to v1.83.7 [security] - autoclosed chore(deps): update dependency litellm to v1.83.7 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/pypi-litellm-vulnerability branch 2 times, most recently from e3ca177 to 8ed886d Compare April 27, 2026 22:04
@github-actions

Copy link
Copy Markdown

For team members: test commit e3ca177 in internal GitLab

@github-actions

Copy link
Copy Markdown

For team members: test commit 8ed886d in internal GitLab

@renovate renovate Bot force-pushed the renovate/pypi-litellm-vulnerability branch from 8ed886d to 3e2e194 Compare May 11, 2026 18:08
@renovate renovate Bot changed the title chore(deps): update dependency litellm to v1.83.7 [security] chore(deps): update dependency litellm to v1.83.10 [security] May 11, 2026
@github-actions

Copy link
Copy Markdown

For team members: test commit 3e2e194 in internal GitLab

@renovate renovate Bot force-pushed the renovate/pypi-litellm-vulnerability branch from 3e2e194 to d21bbcf Compare May 18, 2026 17:45
@github-actions

Copy link
Copy Markdown

For team members: test commit d21bbcf in internal GitLab

@owtaylor

Copy link
Copy Markdown
Contributor

This got updated to renovate to an upgrade to 1.85. 1.85 is noisy unless you have botocore installed (and unnecessarily slow to import if you do)

BerriAI/litellm#28175

While the warnings are harmless, I think we'll hold off on this for a bit - the security issues are not relevant to us.

@renovate renovate Bot force-pushed the renovate/pypi-litellm-vulnerability branch from d21bbcf to 1f333de Compare June 11, 2026 12:52
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/pypi-litellm-vulnerability branch from 1f333de to d7ae09f Compare June 17, 2026 03:14
@renovate renovate Bot changed the title chore(deps): update dependency litellm to v1.83.10 [security] chore(deps): update dependency litellm to v1.84.0 [security] Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant