cbcvebase.
CVE-2024-6587
published 2024-09-13

CVE-2024-6587: A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base`…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.95%
98.3th percentile
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

Affected

10 ranges
VendorProductVersion rangeFixed in
berriaiberriai_litellm>= unspecified < 1.44.91.44.9
litellmlitellm
litellmlitellm>= 0 < 1.44.81.44.8
x.orgxorg-server>= 0 < 2:1.20.13-1ubuntu1~20.04.152:1.20.13-1ubuntu1~20.04.15
x.orgxorg-server>= 0 < 2:21.1.4-2ubuntu1.7~22.04.82:21.1.4-2ubuntu1.7~22.04.8
x.orgxorg-server>= 0 < 2:1.18.4-0ubuntu0.12+esm92:1.18.4-0ubuntu0.12+esm9
x.orgxorg-server>= 0 < 2:1.18.4-0ubuntu0.12+esm102:1.18.4-0ubuntu0.12+esm10
x.orgxorg-server>= 0 < 2:1.19.6-1ubuntu4.15+esm42:1.19.6-1ubuntu4.15+esm4
x.orgxorg-server>= 0 < 2:1.19.6-1ubuntu4.15+esm52:1.19.6-1ubuntu4.15+esm5
x.orgxwayland>= 0 < 2:22.1.1-1ubuntu0.112:22.1.1-1ubuntu0.11

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /chat/completions HTTP/1.1
path/chat/completions
  • Exploit payload: POST /chat/completions with a user-controlled `api_base` field in the JSON body pointing to an attacker-controlled domain. The server will forward the OpenAI API key in the Authorization: Bearer header to that domain.
  • Confirm exploitation by detecting an outbound HTTP request to an attacker-controlled host containing the string 'Bearer' in the request body/headers — indicating the OpenAI API key was exfiltrated.
  • Identify exposed LiteLLM instances via Shodan using the favicon hash 439373620.
  • Monitor POST requests to /chat/completions where the JSON body contains an `api_base` key with an external or unexpected domain value — this is the SSRF trigger parameter.
  • Alert on outbound HTTP requests from the LiteLLM server process to domains not in an approved allowlist, especially those carrying an Authorization: Bearer header, as this indicates SSRF-based API key leakage.
  • ·The vulnerability affects LiteLLM version 1.38.10 specifically. Verify the deployed version before applying detection rules to avoid false positives on patched instances.
  • ·The Nuclei template uses an out-of-band interaction server (interactsh) to confirm exploitation. In environments without external egress, the SSRF may still occur internally but will not trigger the interactsh-based matcher — use internal network monitoring as a supplement.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv9.8CRITICAL
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.