Impact
A flaw was found in the json.dumps function of the litellm SSO Debug Flow (ui_sso.py) that skips authentication checks. This omission allows an attacker to craft input that is processed without verifying identity, resulting in unauthorized access or impersonation. The vulnerability is classified as Authentication Failure (CWE-287) and Missing Authentication (CWE-306), and can be triggered remotely.
Affected Systems
The issue affects BerriAI litellm versions up to and including 1.82.2. Any installations running these or earlier releases should be considered exposed until the flaw is remediated.
Risk and Exploitability
With a CVSS score of 6.9, the flaw presents moderate severity. EPSS data is not available, and the vulnerability is not listed in KEV, but it is publicly disclosed and can be exploited from a remote source. The lack of authentication checks directly leads to a high impact for systems exposing the SSO Debug Flow interface, especially if that endpoint is reachable from untrusted networks.
OpenCVE Enrichment