CVE-2024-6587: SSRF in berriai/litellm
First published: Fri Sep 13 2024(Updated: )
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.
Credit: security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/litellm | <1.44.8 | 1.44.8 |
| Litellm Litellm | =1.38.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g26j-5385-hhw3
- alias/CVE-2024-6587
- agent/software-canonical-lookup
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/github-advisory
- agent/tags
- collector/nvd-cve
- agent/event
- agent/trending
- package-manager/pip
- vendor/litellm
- canonical/litellm litellm
- version/litellm litellm/1.38.10