Impact
The vulnerability arises because LiteLLM concatenates the caller‑supplied API key directly into an SQL statement used for proxy authentication. This improper input handling creates a classic SQL injection point (CWE‑89). An attacker who can send a request to any LLM API route, such as POST /chat/completions, can exploit the error‑handling path to inject SQL that reads or modifies data stored in the proxy’s database.
Affected Systems
The flaw affects BerriAI LiteLLM versions 1.81.16 through 1.83.6 inclusive. Any deployment that has not upgraded to the patched release 1.83.7 or later is vulnerable. The issue is present in all environments where the proxy API is reachable over the network, including public internet exposure or untrusted internal networks.
Risk and Exploitability
The CVSS score of 9.3 indicates critical severity, and the EPSS score of 87% shows a high likelihood of exploitation. The vulnerability is listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can send a specially crafted Authorization header in a standard HTTP request to trigger the vulnerable query, requiring no credentials. Successful exploitation yields full read and write access to the proxy’s database, potentially exposing all stored API keys and credentials.
OpenCVE Enrichment
Github GHSA