AI Threat Alert
### Impact When JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. **Most instances...
Full CISO analysis pending enrichment.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| litellm | pip | < 1.83.0 | 1.83.0 |
Do you use litellm? You're affected.
Severity & Risk
Recommended Action
Patch available
Update litellm to version 1.83.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
### Impact When JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. **Most instances are not affected.** An unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled. ### Patches Fixed in v1.83.0. The cache key now uses the full hash of the JWT token. ### Workarounds Disable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2024-6825 8.8 LiteLLM: RCE via post_call_rules callback injection
Same package: litellm CVE-2025-0628 8.1 litellm: privilege escalation viewer→proxy admin via bad API key
Same package: litellm CVE-2024-4888 8.1 litellm: arbitrary file deletion via audio endpoint
Same package: litellm CVE-2024-10188 7.5 litellm: unauthenticated DoS crashes LLM proxy server
Same package: litellm CVE-2024-8984 7.5 litellm: unauthenticated DoS via multipart boundary parsing
Same package: litellm