PyPI package
litellm
pkg:pypi/litellm
2 malicious versions on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- PYSEC-2026-2Two litellm versions published containing credential harvesting malwareMar 24, 2026
- MAL-2026-2144Malicious code in litellm (PyPI)Mar 24, 2026
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42271 | Hig | 8.8 | >= 1.74.2, < 1.83.7 | 1.83.7 | May 8, 2026 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full s | |
| CVE-2026-42208 | Cri | 9.8 | KEV | >= 1.81.16, < 1.83.7 | 1.83.7 | May 8, 2026 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate param |
| CVE-2026-42203 | Hig | 8.8 | >= 1.80.5, < 1.83.7 | 1.83.7 | May 8, 2026 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary | |
| CVE-2026-40217 | Hig | 8.8 | >= 1.81.8, < 1.83.10 | 1.83.10 | Apr 10, 2026 | LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI. | |
| CVE-2026-35030 | Cri | 9.1 | < 1.83.0 | 1.83.0 | Apr 6, 2026 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate | |
| CVE-2026-35029 | Hig | 8.8 | < 1.83.0 | 1.83.0 | Apr 6, 2026 | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configura | |
| CVE-2025-0628 | Hig | 8.1 | < 1.61.15 | 1.61.15 | Mar 20, 2025 | An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionalit | |
| CVE-2024-10188 | Hig | 7.5 | < 1.53.1.dev1 | 1.53.1.dev1 | Mar 20, 2025 | A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python serve | |
| CVE-2024-6825 | — | >= 1.40.3.dev2, <= 1.40.12 | — | Mar 20, 2025 | BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part consi | ||
| CVE-2025-0330 | — | <= 1.52.1 | — | Mar 20, 2025 | In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full ac | ||
| CVE-2024-9606 | — | < 1.44.12 | 1.44.12 | Mar 20, 2025 | In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing | ||
| CVE-2024-8984 | — | < 1.56.2 | 1.56.2 | Mar 20, 2025 | A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to | ||
| CVE-2024-6587 | — | < 1.44.8 | 1.44.8 | Sep 13, 2024 | A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified | ||
| CVE-2024-5710 | — | < 1.40.15 | 1.40.15 | Jun 27, 2024 | berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and unblocking any teams, as well as adding | ||
| CVE-2024-5751 | — | < 1.40.16 | 1.40.16 | Jun 27, 2024 | BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can | ||
| CVE-2024-4888 | — | < 1.35.36 | 1.35.36 | Jun 6, 2024 | BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, | ||
| CVE-2024-4890 | — | <= 1.27.14 | — | Jun 6, 2024 | A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit th | ||
| CVE-2024-5225 | — | < 1.40.0 | 1.40.0 | Jun 6, 2024 | An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concate | ||
| CVE-2024-4264 | Cri | 9.8 | <= 1.28.11 | — | May 18, 2024 | A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is p | |
| CVE-2024-2952 | — | < 1.34.42 | 1.34.42 | Apr 10, 2024 | BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine wit |
- affected >= 1.74.2, < 1.83.7fixed 1.83.7
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full s
- affected >= 1.81.16, < 1.83.7fixed 1.83.7
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate param
- affected >= 1.80.5, < 1.83.7fixed 1.83.7
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary
- affected >= 1.81.8, < 1.83.10fixed 1.83.10
LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.
- affected < 1.83.0fixed 1.83.0
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate
- affected < 1.83.0fixed 1.83.0
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configura
- affected < 1.61.15fixed 1.61.15
An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionalit
- affected < 1.53.1.dev1fixed 1.53.1.dev1
A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python serve
- CVE-2024-6825Mar 20, 2025affected >= 1.40.3.dev2, <= 1.40.12
BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function can be added. The provided value is split at the final '.' mark, with the last part consi
- CVE-2025-0330Mar 20, 2025affected <= 1.52.1
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full ac
- CVE-2024-9606Mar 20, 2025affected < 1.44.12fixed 1.44.12
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing
- CVE-2024-8984Mar 20, 2025affected < 1.56.2fixed 1.56.2
A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to
- CVE-2024-6587Sep 13, 2024affected < 1.44.8fixed 1.44.8
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified
- CVE-2024-5710Jun 27, 2024affected < 1.40.15fixed 1.40.15
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and unblocking any teams, as well as adding
- CVE-2024-5751Jun 27, 2024affected < 1.40.16fixed 1.40.16
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can
- CVE-2024-4888Jun 6, 2024affected < 1.35.36fixed 1.35.36
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server,
- CVE-2024-4890Jun 6, 2024affected <= 1.27.14
A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit th
- CVE-2024-5225Jun 6, 2024affected < 1.40.0fixed 1.40.0
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concate
- affected <= 1.28.11
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is p
- CVE-2024-2952Apr 10, 2024affected < 1.34.42fixed 1.34.42
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine wit