AI Threat Alert

CVE-2025-11203: LiteLLM: Info Disclosure leaks sensitive data

UNKNOWN
Published October 29, 2025
CISO Take

LiteLLM's health endpoint leaks API keys to any authenticated user, exposing credentials for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI, etc.). Patch to v1.63.14+ immediately and rotate all API keys stored in your LiteLLM deployment. Audit health endpoint access logs retroactively — if LiteLLM is internet-facing with shared credentials, assume compromise.

What is the risk?

HIGH risk for organizations using LiteLLM as an LLM proxy or gateway. Although authentication is required to exploit, LiteLLM deployments typically grant broad API access to developers and applications. A single compromised low-privilege account can pivot to full provider credential exfiltration. The blast radius is significant: exposed keys grant direct access to LLM provider accounts, enabling cost harvesting, data exfiltration via inference API, and bypassing all LiteLLM-layer controls.

How severe is it?

CVSS 3.1
N/A
EPSS
0.4%
chance of exploitation in 30 days
Higher than 29% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

6 steps

  1. PATCH

    Upgrade LiteLLM to v1.63.14-stable immediately — this is a targeted fix per release notes.

  2. ROTATE

    Rotate all API keys stored in LiteLLM configuration post-patch; revoke the old keys at the provider level.

  3. AUDIT

    Query logs for GET/POST requests to /health endpoint with API_KEY parameter from the past 90 days.

  4. RESTRICT

    Limit access to the health endpoint via network ACLs or API gateway policies — it should not be publicly reachable.

  5. SCOPE

    Replace shared high-privilege provider API keys with scoped keys (spending limits, restricted models) to reduce blast radius of future credential leaks.

  6. DETECT

    Alert on health endpoint access by non-admin authenticated users.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Data Extraction Auth Bypass API Framework Inference AML.T0040 AML.T0049 AML.T0055 AML.T0083 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - Information security in AI system lifecycle
NIST AI RMF
MANAGE-2.2 - Risk Treatment — Monitoring and Response
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-11203?

LiteLLM's health endpoint leaks API keys to any authenticated user, exposing credentials for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI, etc.). Patch to v1.63.14+ immediately and rotate all API keys stored in your LiteLLM deployment. Audit health endpoint access logs retroactively — if LiteLLM is internet-facing with shared credentials, assume compromise.

Is CVE-2025-11203 actively exploited?

No confirmed active exploitation of CVE-2025-11203 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-11203?

1. PATCH: Upgrade LiteLLM to v1.63.14-stable immediately — this is a targeted fix per release notes. 2. ROTATE: Rotate all API keys stored in LiteLLM configuration post-patch; revoke the old keys at the provider level. 3. AUDIT: Query logs for GET/POST requests to /health endpoint with API_KEY parameter from the past 90 days. 4. RESTRICT: Limit access to the health endpoint via network ACLs or API gateway policies — it should not be publicly reachable. 5. SCOPE: Replace shared high-privilege provider API keys with scoped keys (spending limits, restricted models) to reduce blast radius of future credential leaks. 6. DETECT: Alert on health endpoint access by non-admin authenticated users.

What systems are affected by CVE-2025-11203?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy/gateway deployments, multi-model routing (LiteLLM-based), agent frameworks, RAG pipelines, model serving.

What is the CVSS score for CVE-2025-11203?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM proxy/gateway deploymentsmulti-model routing (LiteLLM-based)agent frameworksRAG pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

LiteLLM Information health API_KEY Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LiteLLM. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the API_KEY parameter provided to the health endpoint. The issue results from exposing sensitive information to an unauthorized actor. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26585.

Exploitation Scenario

An attacker with any valid LiteLLM API key — obtained via a phishing campaign targeting a developer, a leaked .env file in a public repo, or a compromised CI/CD secret — authenticates to the LiteLLM proxy and queries the /health endpoint passing their API_KEY. The response returns stored provider credentials (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) in plaintext. The attacker extracts these keys, establishes direct API access to provider accounts bypassing LiteLLM entirely, and uses them to exfiltrate training data context via inference queries, run unauthorized inference at the victim's expense, or sell the credentials on darknet markets. The original compromised LiteLLM key may never trigger downstream provider alerts.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

References

Timeline

Published
October 29, 2025
Last Modified
April 15, 2026
First Seen
October 29, 2025

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
Back to Threat Feed