CVE-2025-0628

Published: Mar 20, 2025Modified: Oct 15, 2025

8.1

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security@huntr.dev (Secondary)

Description

An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as '/users/list' and '/users/get_users'. This vulnerability allows for privilege escalation within the application, enabling any account to become a PROXY ADMIN.

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (2)

https://github.com/berriai/litellm/commit/566d9354aab4215091b2e51ad0333e948125fa1b

Source: security@huntr.dev

https://huntr.com/bounties/6c0e2f75-2d03-42f9-9530-e16a973317fc

Source: security@huntr.dev

Timeline

No history available yet.