CVE-2024-6587

Source
https://cve.org/CVERecord?id=CVE-2024-6587
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6587.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-6587
Aliases
Published
2024-09-13T15:59:53.557Z
Modified
2026-07-08T07:31:24.220990789Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
SSRF in berriai/litellm
Details

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the api_base parameter when making requests to POST /chat/completions, causing the application to send the request to the domain specified by api_base. This request includes the OpenAI API key. A malicious user can set the api_base to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/6xxx/CVE-2024-6587.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/berriai/litellm

Affected ranges

Type
GIT
Repo
https://github.com/berriai/litellm
Events
Database specific
{
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:litellm:litellm:1.38.10:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.38.10"
        },
        {
            "last_affected": "1.38.10"
        }
    ]
}

Affected versions

1.*
1.38.10
1.40.8.dev1
1.41.11.dev5
1.41.12.dev1
1.41.14.dev15
1.44.6
v1.*
v1.38.10
v1.38.11
v1.38.12
v1.39.2
v1.39.3
v1.39.4
v1.39.5
v1.39.5-stable
v1.39.6
v1.40.0
v1.40.1
v1.40.1.dev2
v1.40.1.dev4
v1.40.10
v1.40.11
v1.40.12
v1.40.13
v1.40.14
v1.40.15
v1.40.16
v1.40.17
v1.40.19
v1.40.2
v1.40.2-stable
v1.40.20
v1.40.21
v1.40.22
v1.40.24
v1.40.25
v1.40.26
v1.40.27
v1.40.28
v1.40.29
v1.40.3
v1.40.3-stable
v1.40.31
v1.40.4
v1.40.5
v1.40.6
v1.40.7
v1.40.7.dev1
v1.40.8
v1.40.8-stable
v1.40.9
v1.40.9-stable
v1.41.0
v1.41.0-stable
v1.41.1
v1.41.11
v1.41.11.dev1
v1.41.12
v1.41.13
v1.41.14
v1.41.14.dev10
v1.41.14.dev8
v1.41.15
v1.41.17
v1.41.18
v1.41.19
v1.41.2
v1.41.2-stable
v1.41.20
v1.41.21
v1.41.22
v1.41.23
v1.41.23-stable
v1.41.24
v1.41.24.dev1
v1.41.25
v1.41.26
v1.41.26.dev1
v1.41.27
v1.41.28
v1.41.3
v1.41.3.dev2
v1.41.4
v1.41.4.dev1
v1.41.5
v1.41.5.dev1
v1.41.6
v1.41.6.dev1
v1.41.7
v1.41.8
v1.41.8.dev1
v1.41.8.dev2
v1.42.0
v1.42.0-stable
v1.42.1
v1.42.10
v1.42.10-stable
v1.42.11
v1.42.12
v1.42.2
v1.42.2-stable
v1.42.3
v1.42.3-stable
v1.42.4
v1.42.4-stable
v1.42.5
v1.42.5-dev1
v1.42.5-dev2
v1.42.5-stable
v1.42.6
v1.42.7
v1.42.7-stable
v1.42.8
v1.42.9
v1.42.9-stable
v1.42.9-stable-fix
v1.42.9.dev1
v1.43.0
v1.43.1
v1.43.1-dev1
v1.43.10
v1.43.10-stable
v1.43.12
v1.43.13
v1.43.13-stable
v1.43.15
v1.43.15-stable
v1.43.16
v1.43.16-stable
v1.43.17
v1.43.18
v1.43.18-stable
v1.43.19
v1.43.19-stable
v1.43.19.dev1
v1.43.19.dev2
v1.43.2
v1.43.3
v1.43.4
v1.43.4.dev5
v1.43.5
v1.43.5-stable
v1.43.6
v1.43.6-stable
v1.43.6.dev1
v1.43.7
v1.43.7-stable
v1.43.9
v1.44.1
v1.44.2
v1.44.3
v1.44.4
v1.44.4.dev2
v1.44.5
v1.44.6
v1.44.6-stable
v1.44.7
v1.44.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6587.json"