CVE-2025-0330

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project storing all requests.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/661b388a-44d8-4ad5-862b-4dc5b80be30a	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:litellm:litellm:1.52.1:-:*:*:*:*:*:*

History

01 Aug 2025, 13:58

Type	Values Removed	Values Added
CPE		cpe:2.3:a:litellm:litellm:1.52.1:-::::::
Summary		(es) En la versión 1.52.1 de berriai/litellm, un problema en proxy_server.py provoca la fuga de claves de API de Langfuse cuando se produce un error al analizar la configuración del equipo. Esta vulnerabilidad expone información confidencial, como langfuse_secret y langfuse_public_key, que puede proporcionar acceso completo al proyecto Langfuse que almacena todas las solicitudes.
References	~~() https://huntr.com/bounties/661b388a-44d8-4ad5-862b-4dc5b80be30a -~~	() https://huntr.com/bounties/661b388a-44d8-4ad5-862b-4dc5b80be30a - Exploit, Third Party Advisory
First Time		Litellm litellm Litellm

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-08-01 13:58

NVD link : CVE-2025-0330

Mitre link : CVE-2025-0330

CVE.ORG link : CVE-2025-0330

JSON object : View

Products Affected

litellm

litellm

CWE

CWE-1230

Exposure of Sensitive Information Through Metadata

7.5 /10