CVE-2025-0628: LiteLLM privilege escalation

CISO Take

Any user with a 'viewer' role in litellm can obtain an API key that grants full proxy admin access, including user enumeration and admin endpoint control. If litellm is your LLM gateway—a common architecture in enterprise AI deployments—this is a critical exposure. Patch to 1.61.15 immediately, rotate all API keys issued before the patch, and audit access logs for /users/list and /users/get_users calls.

What is the risk?

Effective risk is higher than CVSS 8.1 suggests for AI-heavy organizations. litellm is the de facto LLM proxy layer in many enterprise AI stacks, acting as a single control plane for all model access. A viewer account (low-barrier to obtain) escalates to full admin with zero additional steps. Low complexity + network-accessible + no user interaction = trivial to weaponize. Not in CISA KEV yet, but the attack surface is broad given litellm's adoption.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	< 1.61.15	`1.61.15`
51.0K OpenSSF 6.1 6 dependents Pushed 2d ago 38% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Patch: upgrade litellm to >= 1.61.15 immediately.
Rotate all API keys issued to 'internal_user_viewer' accounts—assume any key issued pre-patch is compromised.
Audit logs for unauthorized access to /users/list, /users/get_users, and other admin endpoints; look for viewer-role accounts making admin calls.
Network-level controls: restrict litellm admin endpoints to trusted internal IPs only (not publicly exposed).
Implement least-privilege role validation at the API key issuance layer and add integration tests that assert viewer roles cannot access admin endpoints.
Enable alerting on role-permission mismatches in your API gateway.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction API Framework AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15(5) - Cybersecurity and resilience Article 9 - Risk management system

ISO 42001

A.6.1.2 - Segregation of duties A.9.4.1 - Information access restriction

NIST AI RMF

GOVERN 1.7 - Processes for AI risk identification and management MANAGE 2.4 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-0628?

Any user with a 'viewer' role in litellm can obtain an API key that grants full proxy admin access, including user enumeration and admin endpoint control. If litellm is your LLM gateway—a common architecture in enterprise AI deployments—this is a critical exposure. Patch to 1.61.15 immediately, rotate all API keys issued before the patch, and audit access logs for /users/list and /users/get_users calls.

Is CVE-2025-0628 actively exploited?

No confirmed active exploitation of CVE-2025-0628 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-0628?

1. Patch: upgrade litellm to >= 1.61.15 immediately. 2. Rotate all API keys issued to 'internal_user_viewer' accounts—assume any key issued pre-patch is compromised. 3. Audit logs for unauthorized access to /users/list, /users/get_users, and other admin endpoints; look for viewer-role accounts making admin calls. 4. Network-level controls: restrict litellm admin endpoints to trusted internal IPs only (not publicly exposed). 5. Implement least-privilege role validation at the API key issuance layer and add integration tests that assert viewer roles cannot access admin endpoints. 6. Enable alerting on role-permission mismatches in your API gateway.

What systems are affected by CVE-2025-0628?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy and gateway deployments, Multi-model inference routing, Enterprise AI API management, Agent frameworks using litellm as backend, RAG pipelines routed through litellm.

What is the CVSS score for CVE-2025-0628?

CVE-2025-0628 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.41%.

What is the AI security impact?

Affected AI Architectures

LLM proxy and gateway deploymentsMulti-model inference routingEnterprise AI API managementAgent frameworks using litellm as backendRAG pipelines routed through litellm

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15(5), Article 9

ISO 42001: A.6.1.2, A.9.4.1

NIST AI RMF: GOVERN 1.7, MANAGE 2.4

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as '/users/list' and '/users/get_users'. This vulnerability allows for privilege escalation within the application, enabling any account to become a PROXY ADMIN.

Exploitation Scenario

An adversary targets an organization using litellm as their AI model gateway. They obtain a viewer-level account—via phishing, credential stuffing against a SSO portal, or simply by registering as a low-privilege user in a misconfigured instance. Upon login, litellm issues them an API key that silently carries admin-level permissions. The attacker calls GET /users/list to enumerate all accounts and their associated API keys, identifies high-value admin accounts, and pivots to full PROXY ADMIN control. From there, they can redirect model traffic to attacker-controlled endpoints (for prompt harvesting), revoke legitimate user access, or exfiltrate the full API key registry for downstream attacks against model providers.

Weaknesses (CWE)

CWE-266 Incorrect Privilege Assignment Primary CWE-285 Improper Authorization Primary

CWE-266 — Incorrect Privilege Assignment: A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design, Operation] Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Source: MITRE CWE corpus.