CVE-2025-0628 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

Any user with a 'viewer' role in litellm can obtain an API key that grants full proxy admin access, including user enumeration and admin endpoint control. If litellm is your LLM gateway—a common architecture in enterprise AI deployments—this is a critical exposure. Patch to 1.61.15 immediately, rotate all API keys issued before the patch, and audit access logs for /users/list and /users/get_users calls.

Risk Assessment

Effective risk is higher than CVSS 8.1 suggests for AI-heavy organizations. litellm is the de facto LLM proxy layer in many enterprise AI stacks, acting as a single control plane for all model access. A viewer account (low-barrier to obtain) escalates to full admin with zero additional steps. Low complexity + network-accessible + no user interaction = trivial to weaponize. Not in CISA KEV yet, but the attack surface is broad given litellm's adoption.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
litellm	pip	< 1.61.15	`1.61.15`
45.5K OpenSSF 6.2 4 dependents Pushed 6d ago 50% patched ~43d to patch Full package profile →

Do you use litellm? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

Recommended Action

6 steps

Patch: upgrade litellm to >= 1.61.15 immediately.
Rotate all API keys issued to 'internal_user_viewer' accounts—assume any key issued pre-patch is compromised.
Audit logs for unauthorized access to /users/list, /users/get_users, and other admin endpoints; look for viewer-role accounts making admin calls.
Network-level controls: restrict litellm admin endpoints to trusted internal IPs only (not publicly exposed).
Implement least-privilege role validation at the API key issuance layer and add integration tests that assert viewer roles cannot access admin endpoints.
Enable alerting on role-permission mismatches in your API gateway.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction API Framework AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15(5) - Cybersecurity and resilience Article 9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties A.9.4.1 - Information access restriction

NIST AI RMF

GOVERN 1.7 - Processes for AI risk identification and management MANAGE 2.4 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-0628?

Any user with a 'viewer' role in litellm can obtain an API key that grants full proxy admin access, including user enumeration and admin endpoint control. If litellm is your LLM gateway—a common architecture in enterprise AI deployments—this is a critical exposure. Patch to 1.61.15 immediately, rotate all API keys issued before the patch, and audit access logs for /users/list and /users/get_users calls.

Is CVE-2025-0628 actively exploited?

No confirmed active exploitation of CVE-2025-0628 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-0628?

1. Patch: upgrade litellm to >= 1.61.15 immediately. 2. Rotate all API keys issued to 'internal_user_viewer' accounts—assume any key issued pre-patch is compromised. 3. Audit logs for unauthorized access to /users/list, /users/get_users, and other admin endpoints; look for viewer-role accounts making admin calls. 4. Network-level controls: restrict litellm admin endpoints to trusted internal IPs only (not publicly exposed). 5. Implement least-privilege role validation at the API key issuance layer and add integration tests that assert viewer roles cannot access admin endpoints. 6. Enable alerting on role-permission mismatches in your API gateway.

What systems are affected by CVE-2025-0628?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, Multi-model inference routing, Enterprise AI API management, Agent frameworks using litellm as backend, RAG pipelines routed through litellm.

What is the CVSS score for CVE-2025-0628?

CVE-2025-0628 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as '/users/list' and '/users/get_users'. This vulnerability allows for privilege escalation within the application, enabling any account to become a PROXY ADMIN.

Exploitation Scenario

An adversary targets an organization using litellm as their AI model gateway. They obtain a viewer-level account—via phishing, credential stuffing against a SSO portal, or simply by registering as a low-privilege user in a misconfigured instance. Upon login, litellm issues them an API key that silently carries admin-level permissions. The attacker calls GET /users/list to enumerate all accounts and their associated API keys, identifies high-value admin accounts, and pivots to full PROXY ADMIN control. From there, they can redirect model traffic to attacker-controlled endpoints (for prompt harvesting), revoke legitimate user access, or exfiltrate the full API key registry for downstream attacks against model providers.