Description
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project storing all requests.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/661b388a-44d8-4ad5-862b-4dc5b80be30a
Scores
CVSS v3
7.5
EPSS
0.0037
EPSS Percentile
58.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1230
Status
published
Products (2)
litellm/litellm
1.52.1
pypi/litellm
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026