CVE-2024-9606
Published: 20 March 2025
Summary
CVE-2024-9606 is a high-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Litellm Litellm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-9606 is a logging vulnerability in the berriai/litellm Python library, specifically affecting versions before 1.44.12, with the issue confirmed in v1.44.9. Located in the file `litellm/litellm_core_utils/litellm_logging.py`, the flaw stems from API key masking logic that obscures only the first five characters of the key, resulting in logs that expose nearly the entire secret. This improper output neutralization (CWE-116) and improper encoding (CWE-117) carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact.
The vulnerability enables exploitation by any attacker who gains access to the application's logs, such as through log aggregation systems, shared storage, or compromised logging endpoints. No privileges, user interaction, or special conditions are required beyond log visibility, which is often granted to developers, operators, or external monitoring services. Successful exploitation allows extraction of almost complete API keys, potentially granting unauthorized access to downstream services proxied by LiteLLM, such as LLM providers, leading to unauthorized API usage, data exfiltration, or further compromise.
Mitigation is addressed in the GitHub commit 9094071c4782183e84f10630e2450be3db55509a, which fixes the masking logic in LiteLLM version 1.44.12 and later. Security practitioners should upgrade affected installations immediately and review historical logs for exposed keys. The issue was reported via Huntr (bounty ID 4a03796f-a8d4-4293-84ef-d3959456223a), emphasizing proactive auditing of logging mechanisms in LLM proxy deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6847
Vulnerability details
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs,…
more
exposing a significant amount of the secret key. The issue affects version v1.44.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability leaks nearly full API keys in application logs due to improper masking, facilitating theft of application access tokens (T1528) and unsecured credentials in files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires filtering sensitive information like unmasked API keys from log outputs to prevent leakage in logging mechanisms.
Mandates defining and coordinating audit record content to exclude or properly mask sensitive API keys, addressing the improper logging flaw.
Protects audit logs containing potentially sensitive data from unauthorized access, reducing exposure risk via log aggregation or storage.