Update dependency litellm to v1.84.0 [SECURITY]#360
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.83.0→1.84.0LiteLLM: Server-Side Template Injection in /prompts/test endpoint
CVE-2026-42203 / GHSA-xqmj-j6mv-4862
More information
Details
Impact
The
POST /prompts/testendpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.
Proxy deployments running an affected version are in scope.
Patches
The issue is fixed in
1.83.7-stable. The fix switches the prompt template renderer to a sandboxed environment that blocks the attributes this attack relies on.LiteLLM recommends upgrading to
1.83.7-stableor later.Workarounds
If upgrading is not immediately possible:
POST /prompts/testat your reverse proxy or API gateway.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM has SQL Injection in Proxy API key verification
CVE-2026-42208 / GHSA-r75f-5x8p-qvmc
More information
Details
Impact
A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted
Authorizationheader to any LLM API route (for examplePOST /chat/completions) and reach this query through the proxy's error-handling path.An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages.
Patches
Fixed in
1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to1.83.7or later.Workarounds
If upgrading is not immediately possible, set
disable_error_logs: trueundergeneral_settings. This removes the path through which unauthenticated input reaches the vulnerable query.References
v1.83.7-stableDiscovery Credit: Tencent YunDing Security Lab
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM: Authenticated command execution via MCP stdio test endpoints
CVE-2026-42271 / GHSA-v4p8-mg3p-g94g
More information
Details
Impact
Two endpoints used to preview an MCP server before saving it —
POST /mcp-rest/test/connectionandPOST /mcp-rest/test/tools/list— accepted a full server configuration in the request body, including thecommand,args, andenvfields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process.The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user — including holders of low-privilege internal-user keys — could therefore run arbitrary commands on the host.
Patches
Fixed in
1.83.7. Both test endpoints now require thePROXY_ADMINrole, bringing them into line with the save endpoint.Workarounds
If upgrading is not immediately possible, developers should block
POST /mcp-rest/test/connectionandPOST /mcp-rest/test/tools/listat their reverse proxy or API gateway.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM has a sandbox escape in custom-code guardrail
CVE-2026-40217 / GHSA-wxxx-gvqv-xp7p
More information
Details
Impact
The
POST /guardrails/test_custom_codeendpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.Reaching the endpoint requires a proxy-admin credential in default configurations.
Patches
Fixed in
1.83.11. The hand-rolled sandbox has been replaced withRestrictedPython. Upgrade to1.83.11or later.Workarounds
If upgrading is not immediately possible, block
POST /guardrails/test_custom_codeat your reverse proxy or API gateway.References
v1.83.10-stableSeverity
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
LiteLLM: Authentication Bypass via Host Header Injection
CVE-2026-49468 / GHSA-4xpc-pv4p-pm3w
More information
Details
Impact
A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes.
The auth layer derived the effective route from
request.url.pathinlitellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from theHostheader. A craftedHostcould therefore make the auth gate evaluate a different route from the one FastAPI dispatched.Most deployments are not affected. The bypass is blocked by any upstream layer that validates or normalizes
Host, such as:server_nameallowlistsLiteLLM Cloud customers are not affected.
Patches
Fixed in
1.84.0. Upgrade to1.84.0or later. No configuration change is required.Workarounds
If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the
Hostheader before forwarding (a CDN/WAF, a reverse proxy with explicitserver_nameallowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener.References
v1.84.0Discovery Credit: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
BerriAI/litellm (litellm)
v1.84.0Verify Docker Image Signature
All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit
0112e53.Verify using the pinned commit hash (recommended):
A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:
Verify using the release tag (convenience):
Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:
Expected output:
What's Changed
New Contributors
Full Changelog: BerriAI/litellm@v1.83.14-stable.patch.3...v1.84.0
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.