BerriAI litellm SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration

An attacker who obtains a user's SSO session token (via XSS, log exposure, network interception, or shoulder surfing) can retain access indefinitely because a new SSO login does not invalidate previously issued tokens [ref_id=1]. The victim's only self-service option—logging in again—leaves all old tokens active in the database. This allows the attacker to reuse a stolen token even after the legitimate user re-authenticates, effectively bypassing session rotation [CWE-613]. The attack is remote and requires no special privileges beyond possession of a historical token.

The vulnerability is in `litellm/proxy/management_endpoints/ui_sso.py`, specifically the `get_redirect_response_from_openid` method of `SSOAuthenticationHandler` (lines ~2453–2542). The same missing-invalidation pattern also appears in the standard username/password login path at `litellm/proxy/auth/login_utils.py` (lines ~176–198) [ref_id=1].

The advisory does not include a patch diff. The recommended fix is to add a call inside `get_redirect_response_from_openid` that deletes, expires, or invalidates all previously issued verification tokens for the same `user_id` before or after generating the new key [ref_id=1]. Without this cleanup, every SSO login creates an additional valid token, and old tokens remain usable until their absolute expiration (default 24 hours). The same invalidation logic should be applied to the username/password login path in `login_utils.py` to close the gap system-wide.

The public PoC script (`poc_exploit.py`) starts a mock OAuth server and LiteLLM proxy, performs two SSO logins for the same user, then queries the database to confirm both tokens remain active. It then uses Token 1 as a Bearer token on `/model/info` and confirms the request is authenticated, proving the old token was not invalidated [ref_id=1].