CVE-2024-6587 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any LiteLLM 1.38.10 deployment is one unauthenticated HTTP request away from losing its OpenAI API key — no privileges, no user interaction required. Patch immediately and rotate all OpenAI keys that were in use on affected instances. If patching is not possible today, block the api_base parameter at the network or application layer as an emergency workaround.

Risk Assessment

HIGH. CVSS 7.5 with network-accessible vector, zero authentication barrier, and trivial exploitation makes this immediately actionable. The impact is full OpenAI API key compromise, enabling financial harm (unbounded API charges billed to the victim), access to GPT-4o and organization-level LLM resources, and potential exfiltration if the key has Assistants API or fine-tune permissions. LiteLLM's widespread adoption as an enterprise LLM gateway amplifies exposure significantly across AI-heavy organizations.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
litellm	pip	—	No patch
45.5K OpenSSF 6.2 4 dependents Pushed 6d ago 50% patched ~43d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

88.4%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 88%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade LiteLLM to a version at or after commit ba1912afd1b19e38d3704bb156adf887f91ae1e0.
ROTATE

Immediately rotate all OpenAI (and any other provider) API keys configured in affected LiteLLM instances — assume compromise if the endpoint was internet-accessible.
RESTRICT

As an emergency workaround, block user-supplied api_base in request validation middleware or deploy a WAF rule rejecting api_base in /chat/completions payloads.
DETECT

Review outbound HTTP logs from LiteLLM hosts for requests to non-sanctioned LLM provider domains and unexpected Authorization header destinations.
MONITOR

Enable OpenAI usage alerts for anomalous consumption spikes that would indicate stolen-key abuse.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass API Framework AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system design and development

NIST AI RMF

GOVERN 6.2 - Risk management policies and procedures

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-6587?

Any LiteLLM 1.38.10 deployment is one unauthenticated HTTP request away from losing its OpenAI API key — no privileges, no user interaction required. Patch immediately and rotate all OpenAI keys that were in use on affected instances. If patching is not possible today, block the api_base parameter at the network or application layer as an emergency workaround.

Is CVE-2024-6587 actively exploited?

Yes, CVE-2024-6587 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2024-6587?

1. PATCH: Upgrade LiteLLM to a version at or after commit ba1912afd1b19e38d3704bb156adf887f91ae1e0. 2. ROTATE: Immediately rotate all OpenAI (and any other provider) API keys configured in affected LiteLLM instances — assume compromise if the endpoint was internet-accessible. 3. RESTRICT: As an emergency workaround, block user-supplied api_base in request validation middleware or deploy a WAF rule rejecting api_base in /chat/completions payloads. 4. DETECT: Review outbound HTTP logs from LiteLLM hosts for requests to non-sanctioned LLM provider domains and unexpected Authorization header destinations. 5. MONITOR: Enable OpenAI usage alerts for anomalous consumption spikes that would indicate stolen-key abuse.

What systems are affected by CVE-2024-6587?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, Multi-provider LLM routing, Agent frameworks, RAG pipelines, AI development platforms.

What is the CVSS score for CVE-2024-6587?

CVE-2024-6587 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 88.37%.

Technical Details

NVD Description

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

Exploitation Scenario

An adversary with no credentials sends a single POST to /chat/completions on an internet-exposed LiteLLM endpoint, setting api_base to an attacker-controlled server (e.g., https://attacker.io/harvest). LiteLLM proxies the request to that server, forwarding the Authorization header containing the raw OpenAI API key. The attacker captures the key in seconds. Follow-on actions: (1) run GPU-intensive workloads billed to the victim, (2) enumerate org-level resources via the OpenAI API, (3) access or exfiltrate content from Assistants threads if org-scoped, or (4) resell the key. Total attacker skill required: able to use curl.