CVE-2025-11203 — UNKNOWN AI Security Vulnerability

CISO Take

LiteLLM's health endpoint leaks API keys to any authenticated user, exposing credentials for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI, etc.). Patch to v1.63.14+ immediately and rotate all API keys stored in your LiteLLM deployment. Audit health endpoint access logs retroactively — if LiteLLM is internet-facing with shared credentials, assume compromise.

Risk Assessment

HIGH risk for organizations using LiteLLM as an LLM proxy or gateway. Although authentication is required to exploit, LiteLLM deployments typically grant broad API access to developers and applications. A single compromised low-privilege account can pivot to full provider credential exfiltration. The blast radius is significant: exposed keys grant direct access to LLM provider accounts, enabling cost harvesting, data exfiltration via inference API, and bypassing all LiteLLM-layer controls.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

6 steps

PATCH

Upgrade LiteLLM to v1.63.14-stable immediately — this is a targeted fix per release notes.
ROTATE

Rotate all API keys stored in LiteLLM configuration post-patch; revoke the old keys at the provider level.
AUDIT

Query logs for GET/POST requests to /health endpoint with API_KEY parameter from the past 90 days.
RESTRICT

Limit access to the health endpoint via network ACLs or API gateway policies — it should not be publicly reachable.
SCOPE

Replace shared high-privilege provider API keys with scoped keys (spending limits, restricted models) to reduce blast radius of future credential leaks.
DETECT

Alert on health endpoint access by non-admin authenticated users.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Data Extraction Auth Bypass API Framework Inference AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security in AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Risk Treatment — Monitoring and Response

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-11203?

LiteLLM's health endpoint leaks API keys to any authenticated user, exposing credentials for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI, etc.). Patch to v1.63.14+ immediately and rotate all API keys stored in your LiteLLM deployment. Audit health endpoint access logs retroactively — if LiteLLM is internet-facing with shared credentials, assume compromise.

Is CVE-2025-11203 actively exploited?

No confirmed active exploitation of CVE-2025-11203 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-11203?

1. PATCH: Upgrade LiteLLM to v1.63.14-stable immediately — this is a targeted fix per release notes. 2. ROTATE: Rotate all API keys stored in LiteLLM configuration post-patch; revoke the old keys at the provider level. 3. AUDIT: Query logs for GET/POST requests to /health endpoint with API_KEY parameter from the past 90 days. 4. RESTRICT: Limit access to the health endpoint via network ACLs or API gateway policies — it should not be publicly reachable. 5. SCOPE: Replace shared high-privilege provider API keys with scoped keys (spending limits, restricted models) to reduce blast radius of future credential leaks. 6. DETECT: Alert on health endpoint access by non-admin authenticated users.

What systems are affected by CVE-2025-11203?

This vulnerability affects the following AI/ML architecture patterns: LLM proxy/gateway deployments, multi-model routing (LiteLLM-based), agent frameworks, RAG pipelines, model serving.

What is the CVSS score for CVE-2025-11203?

No CVSS score has been assigned yet.

Technical Details

NVD Description

LiteLLM Information health API_KEY Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LiteLLM. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the API_KEY parameter provided to the health endpoint. The issue results from exposing sensitive information to an unauthorized actor. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26585.

Exploitation Scenario

An attacker with any valid LiteLLM API key — obtained via a phishing campaign targeting a developer, a leaked .env file in a public repo, or a compromised CI/CD secret — authenticates to the LiteLLM proxy and queries the /health endpoint passing their API_KEY. The response returns stored provider credentials (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) in plaintext. The attacker extracts these keys, establishes direct API access to provider accounts bypassing LiteLLM entirely, and uses them to exfiltrate training data context via inference queries, run unauthorized inference at the victim's expense, or sell the credentials on darknet markets. The original compromised LiteLLM key may never trigger downstream provider alerts.