CVE-2025-45809: LiteLLM SQL injection

CISO Take

LiteLLM is a widely-deployed LLM proxy that centralizes API keys for OpenAI, Anthropic, and other providers — making its database a high-value target. This SQL injection in the key block/unblock endpoints could allow an attacker to extract stored provider API keys, enabling unauthorized LLM usage billed to your organization. Upgrade to 1.81.0+ immediately and restrict these endpoints to trusted networks as a compensating control.

What is the risk?

CVSS 5.4 understates operational risk. While User Interaction Required limits automated exploitation, the target database contains LLM provider API keys (OpenAI, Anthropic, Azure, etc.) worth thousands in potential abuse. Organizations running LiteLLM as a shared gateway amplify the blast radius — a single successful SQLi could expose credentials for every downstream AI service. Low attack complexity means exploitation requires no specialized AI/ML knowledge once an admin is socially engineered.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LiteLLM	pip	—	No patch
51.0K OpenSSF 6.1 6 dependents Pushed 2d ago 44% patched ~38d to patch Full package profile →

Do you use LiteLLM? You're affected.

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C Low

I Low

A None

What should I do?

6 steps

Patch immediately: upgrade LiteLLM to >= 1.81.0.
If patching is delayed, restrict /key/block and /key/unblock endpoints to admin-only networks via firewall or reverse proxy ACLs.
Rotate all LLM provider API keys stored in LiteLLM as a precaution if any exposure window existed.
Enable database query logging and audit for anomalous SQL patterns targeting the keys table.
Review LiteLLM access logs for unexpected calls to /key/block or /key/unblock from untrusted IPs.
Implement WAF rules for SQLi patterns on these endpoints as a defense-in-depth measure.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass API Framework AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - Information security controls for AI systems

NIST AI RMF

MANAGE-2.4 - Residual risks are monitored and managed

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-45809?

LiteLLM is a widely-deployed LLM proxy that centralizes API keys for OpenAI, Anthropic, and other providers — making its database a high-value target. This SQL injection in the key block/unblock endpoints could allow an attacker to extract stored provider API keys, enabling unauthorized LLM usage billed to your organization. Upgrade to 1.81.0+ immediately and restrict these endpoints to trusted networks as a compensating control.

Is CVE-2025-45809 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-45809, increasing the risk of exploitation.

How to fix CVE-2025-45809?

1. Patch immediately: upgrade LiteLLM to >= 1.81.0. 2. If patching is delayed, restrict /key/block and /key/unblock endpoints to admin-only networks via firewall or reverse proxy ACLs. 3. Rotate all LLM provider API keys stored in LiteLLM as a precaution if any exposure window existed. 4. Enable database query logging and audit for anomalous SQL patterns targeting the keys table. 5. Review LiteLLM access logs for unexpected calls to /key/block or /key/unblock from untrusted IPs. 6. Implement WAF rules for SQLi patterns on these endpoints as a defense-in-depth measure.

What systems are affected by CVE-2025-45809?

This vulnerability affects the following AI/ML architecture patterns: LLM API gateways, Multi-provider LLM proxy deployments, RAG pipelines, Agent frameworks, Model serving, Multi-tenant AI platforms.

What is the CVSS score for CVE-2025-45809?

CVE-2025-45809 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

LLM API gatewaysMulti-provider LLM proxy deploymentsRAG pipelinesAgent frameworksModel servingMulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.9.2

NIST AI RMF: MANAGE-2.4

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

SQL Injection vulnerability in BerriAI LiteLLM before 1.81.0 allows attackers to execute arbitrary commands via the key parameter to the "/key/block" and "/key/unblock" API endpoints.

Exploitation Scenario

An attacker identifies an organization running LiteLLM as their LLM gateway via job postings or GitHub repos. They craft a phishing email to a developer or admin with a link that triggers a GET/POST request to /key/block with a SQLi payload in the key parameter (e.g., a CSRF-style attack or a link the user clicks). The injected SQL query extracts API keys from the database — potentially yielding OpenAI, Anthropic, or Azure OpenAI keys with full spend limits. The attacker then uses exfiltrated keys directly against provider APIs for high-volume LLM queries, generating significant costs for the victim organization and potentially accessing proprietary prompts or conversation histories stored in the LiteLLM backend.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.