SSRF vulnerability in chat completion endpoint
A Server-Side Request Forgery (SSRF) vulnerability in version 1.38.10 allows attackers to intercept OpenAI API keys by specifying a malicious `api_base` parameter. This issue has not yet been patched.
Available publicly on Jul 12 2024
Threat Overview
The SSRF vulnerability allows an attacker to specify a custom api_base
parameter when making requests to the POST /chat/completions
endpoint. The application then sends the request, including the OpenAI API key, to the attacker-controlled domain. This can lead to unauthorized access to the OpenAI API, bypassing rate limiting and budget management controls, and potentially causing significant financial and operational impacts.
Attack Scenario
An attacker sets up a server to intercept requests and specifies this server as the api_base
parameter in a request to the POST /chat/completions
endpoint. The application sends the request, including the OpenAI API key, to the attacker's server, allowing the attacker to capture the key and use it for unauthorized purposes.
Who is affected
Users of the litellm proxy version 1.38.10 who expose their OpenAI API keys through the api_base
parameter are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.