AI Threat Alert

CVE-2024-6587: LiteLLM: SSRF leaks OpenAI API key to attacker

HIGH ACTIVELY EXPLOITED PoC AVAILABLE CISA: TRACK*
Published September 13, 2024
CISO Take

Any LiteLLM 1.38.10 deployment is one unauthenticated HTTP request away from losing its OpenAI API key — no privileges, no user interaction required. Patch immediately and rotate all OpenAI keys that were in use on affected instances. If patching is not possible today, block the api_base parameter at the network or application layer as an emergency workaround.

What is the risk?

HIGH. CVSS 7.5 with network-accessible vector, zero authentication barrier, and trivial exploitation makes this immediately actionable. The impact is full OpenAI API key compromise, enabling financial harm (unbounded API charges billed to the victim), access to GPT-4o and organization-level LLM resources, and potential exfiltration if the key has Assistants API or fine-tune permissions. LiteLLM's widespread adoption as an enterprise LLM gateway amplifies exposure significantly across AI-heavy organizations.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LiteLLM pip No patch
51.0K OpenSSF 6.1 6 dependents Pushed 2d ago 38% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
36.9%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 37%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade LiteLLM to a version at or after commit ba1912afd1b19e38d3704bb156adf887f91ae1e0.

  2. ROTATE

    Immediately rotate all OpenAI (and any other provider) API keys configured in affected LiteLLM instances — assume compromise if the endpoint was internet-accessible.

  3. RESTRICT

    As an emergency workaround, block user-supplied api_base in request validation middleware or deploy a WAF rule rejecting api_base in /chat/completions payloads.

  4. DETECT

    Review outbound HTTP logs from LiteLLM hosts for requests to non-sanctioned LLM provider domains and unexpected Authorization header destinations.

  5. MONITOR

    Enable OpenAI usage alerts for anomalous consumption spikes that would indicate stolen-key abuse.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass API Framework AML.T0034 AML.T0040 AML.T0049 AML.T0055 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system design and development
NIST AI RMF
GOVERN 6.2 - Risk management policies and procedures
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-6587?

Any LiteLLM 1.38.10 deployment is one unauthenticated HTTP request away from losing its OpenAI API key — no privileges, no user interaction required. Patch immediately and rotate all OpenAI keys that were in use on affected instances. If patching is not possible today, block the api_base parameter at the network or application layer as an emergency workaround.

Is CVE-2024-6587 actively exploited?

Yes, CVE-2024-6587 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2024-6587?

1. PATCH: Upgrade LiteLLM to a version at or after commit ba1912afd1b19e38d3704bb156adf887f91ae1e0. 2. ROTATE: Immediately rotate all OpenAI (and any other provider) API keys configured in affected LiteLLM instances — assume compromise if the endpoint was internet-accessible. 3. RESTRICT: As an emergency workaround, block user-supplied api_base in request validation middleware or deploy a WAF rule rejecting api_base in /chat/completions payloads. 4. DETECT: Review outbound HTTP logs from LiteLLM hosts for requests to non-sanctioned LLM provider domains and unexpected Authorization header destinations. 5. MONITOR: Enable OpenAI usage alerts for anomalous consumption spikes that would indicate stolen-key abuse.

What systems are affected by CVE-2024-6587?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, Multi-provider LLM routing, Agent frameworks, RAG pipelines, AI development platforms.

What is the CVSS score for CVE-2024-6587?

CVE-2024-6587 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 36.95%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysMulti-provider LLM routingAgent frameworksRAG pipelinesAI development platforms

MITRE ATLAS Techniques

AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: GOVERN 6.2
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

Exploitation Scenario

An adversary with no credentials sends a single POST to /chat/completions on an internet-exposed LiteLLM endpoint, setting api_base to an attacker-controlled server (e.g., https://attacker.io/harvest). LiteLLM proxies the request to that server, forwarding the Authorization header containing the raw OpenAI API key. The attacker captures the key in seconds. Follow-on actions: (1) run GPU-intensive workloads billed to the victim, (2) enumerate org-level resources via the OpenAI API, (3) access or exfiltrate content from Assistants threads if org-scoped, or (4) resell the key. Total attacker skill required: able to use curl.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
September 13, 2024
Last Modified
September 20, 2024
First Seen
September 13, 2024

Related Vulnerabilities

CRITICAL CVE-2026-42208 9.8

LiteLLM: SQL injection exposes LLM API credentials

Same package: litellm
CRITICAL CVE-2026-54352 9.6

Budibase: zip symlink bypass exposes all server secrets

Same package: litellm
CRITICAL CVE-2026-35030 9.1

LiteLLM: auth bypass via JWT cache key collision

Same package: litellm
HIGH CVE-2026-40217 8.8

LiteLLM: RCE via bytecode rewriting in guardrails API

Same package: litellm
HIGH CVE-2024-6825 8.8

LiteLLM: RCE via post_call_rules callback injection

Same package: litellm
Back to Threat Feed