Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via the allowedroutes field during API key generation. An attacker can gain unauthorized access to restricted routes by specifying routes outside...

User Impersonation

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to User Impersonation in the getoidcuserinfo function. An attacker can gain unauthorized access to another user's identity and permissions by crafting a token with the same...

SQL Injection

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to SQL Injection via the /key/block endpoint. A proxyadminviewer user can retrieve the contents of arbitrary files on the target filesystem by brute forcing them one character...

Incorrect Permission Assignment for Critical Resource

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource on the Azure OpenAI route. The getmodelfromrequest function does not necessarily enforce access restrictions, when an...

Allocation of Resources Without Limits or Throttling

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the processing of multipart boundaries in HTTP requests. An attacker can cause excessive resource consumption a...