CVE-2024-6587
Published: 13 September 2024
Summary
CVE-2024-6587 is a high-severity SSRF (CWE-918) vulnerability in Litellm Litellm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Privacy and Disclosure risk domain.
Deeper analysis
A Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2024-6587, affects berriai/litellm version 1.38.10. The flaw resides in the handling of the api_base parameter supplied to the POST /chat/completions endpoint, which causes the application to issue an outbound request to an arbitrary domain while embedding the configured OpenAI API key in the request.
An unauthenticated remote attacker can supply a malicious api_base value pointing to an attacker-controlled server. When the application processes the request, it forwards the API key to that server, enabling the attacker to capture the credential and obtain unauthorized access to the associated OpenAI account and resources.
The referenced GitHub commit ba1912afd1b19e38d3704bb156adf887f91ae1e0 contains the fix applied to the litellm codebase. The associated huntr.com report provides additional technical detail on the issue and its resolution.
The vulnerability carries a CVSS score of 7.5 and an EPSS score of 0.8863. Because litellm is widely used to proxy requests to large-language-model APIs, the flaw directly impacts AI/ML infrastructure that relies on external API keys.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2785
Vulnerability details
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This…
more
request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- LiteLLM (berriai/litellm) is a proxy library for unifying calls to various LLM APIs (e.g., OpenAI /chat/completions endpoint), making it directly related to AI model APIs.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability (CVE-2024-6587) in public-facing /chat/completions endpoint enables exploitation of public-facing application (T1190) to steal OpenAI API key treated as application access token (T1528).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.