Cyber Resilience

CVE-2024-6587

HighPublic PoC

Published: 13 September 2024

Published
13 September 2024
Modified
20 September 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8863 99.5th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6587 is a high-severity SSRF (CWE-918) vulnerability in Litellm Litellm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models; in the Privacy and Disclosure risk domain.

Deeper analysis

A Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2024-6587, affects berriai/litellm version 1.38.10. The flaw resides in the handling of the api_base parameter supplied to the POST /chat/completions endpoint, which causes the application to issue an outbound request to an arbitrary domain while embedding the configured OpenAI API key in the request.

An unauthenticated remote attacker can supply a malicious api_base value pointing to an attacker-controlled server. When the application processes the request, it forwards the API key to that server, enabling the attacker to capture the credential and obtain unauthorized access to the associated OpenAI account and resources.

The referenced GitHub commit ba1912afd1b19e38d3704bb156adf887f91ae1e0 contains the fix applied to the litellm codebase. The associated huntr.com report provides additional technical detail on the issue and its resolution.

The vulnerability carries a CVSS score of 7.5 and an EPSS score of 0.8863. Because litellm is widely used to proxy requests to large-language-model APIs, the flaw directly impacts AI/ML infrastructure that relies on external API keys.

EU & UK References

Vulnerability details

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This…

more

request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

CWE(s)

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
LiteLLM (berriai/litellm) is a proxy library for unifying calls to various LLM APIs (e.g., OpenAI /chat/completions endpoint), making it directly related to AI model APIs.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

SSRF vulnerability (CVE-2024-6587) in public-facing /chat/completions endpoint enables exploitation of public-facing application (T1190) to steal OpenAI API key treated as application access token (T1528).

Affected Assets

litellm
litellm
1.38.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References