SSRF Vulnerability in litellm version 1.38.10 Leads to Unauthorized Access

CVE-2024-6587

7.5HIGH

Key Information

Vendor: Berriai
Status: Berriai/litellm
Vendor: CVE Published:; 13 September 2024

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

Affected Version(s)

berriai/litellm < 1.44.9

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 7.5 - (HIGH)
Sep 13, 2024
Vulnerability published.
Sep 13, 2024
Vulnerability Reserved.
Jul 8, 2024

Collectors

NVD DatabaseMitre Database