Impact
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to version 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The authentication layer derives the effective route from request.url.path in litellm/proxy/auth/auth_utils.py::get_request_route(), which Starlette reconstructs from the Host header. By injecting a crafted Host header, an attacker can cause the authentication gate to evaluate a different route than the one FastAPI dispatched, thereby bypassing the authentication check and gaining unauthorized access to protected routes. This vulnerability was a CWE-290 authentication bypass flaw and was fixed in version 1.84.0.
Affected Systems
The vulnerability affects the BerriAI:litellm product. Any deployment of LiteLLM prior to version 1.84.0 is susceptible; version 1.84.0 and later contain the fix.
Risk and Exploitability
The CVSS score is 9.5, indicating critical severity. The EPSS score is <1%, suggesting a very low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, indicating no known active exploitation at present. The likely attack vector is a network‑based Host header injection performed over HTTP, indicating that systems exposed to external networks could be compromised if the host header is not properly validated.
OpenCVE Enrichment
Github GHSA