Cyber Resilience

CVE-2024-9606

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 43.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9606 is a high-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Litellm Litellm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-9606 is a logging vulnerability in the berriai/litellm Python library, specifically affecting versions before 1.44.12, with the issue confirmed in v1.44.9. Located in the file `litellm/litellm_core_utils/litellm_logging.py`, the flaw stems from API key masking logic that obscures only the first five characters of the key, resulting in logs that expose nearly the entire secret. This improper output neutralization (CWE-116) and improper encoding (CWE-117) carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact.

The vulnerability enables exploitation by any attacker who gains access to the application's logs, such as through log aggregation systems, shared storage, or compromised logging endpoints. No privileges, user interaction, or special conditions are required beyond log visibility, which is often granted to developers, operators, or external monitoring services. Successful exploitation allows extraction of almost complete API keys, potentially granting unauthorized access to downstream services proxied by LiteLLM, such as LLM providers, leading to unauthorized API usage, data exfiltration, or further compromise.

Mitigation is addressed in the GitHub commit 9094071c4782183e84f10630e2450be3db55509a, which fixes the masking logic in LiteLLM version 1.44.12 and later. Security practitioners should upgrade affected installations immediately and review historical logs for exposed keys. The issue was reported via Huntr (bounty ID 4a03796f-a8d4-4293-84ef-d3959456223a), emphasizing proactive auditing of logging mechanisms in LLM proxy deployments.

EU & UK References

Vulnerability details

In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs,…

more

exposing a significant amount of the secret key. The issue affects version v1.44.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The vulnerability leaks nearly full API keys in application logs due to improper masking, facilitating theft of application access tokens (T1528) and unsecured credentials in files (T1552.001).

CVEs Like This One

CVE-2026-35029Same product: Litellm Litellm
CVE-2026-35030Same product: Litellm Litellm
CVE-2026-42271Same product: Litellm Litellm
CVE-2026-42208Same product: Litellm Litellm
CVE-2026-47102Same product: Litellm Litellm
CVE-2026-47101Same product: Litellm Litellm
CVE-2026-40217Same product: Litellm Litellm
CVE-2026-33634Same product: Litellm Litellm
CVE-2026-24737Shared CWE-116
CVE-2026-22792Shared CWE-116

Affected Assets

litellm
litellm
≤ 1.44.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires filtering sensitive information like unmasked API keys from log outputs to prevent leakage in logging mechanisms.

prevent

Mandates defining and coordinating audit record content to exclude or properly mask sensitive API keys, addressing the improper logging flaw.

prevent

Protects audit logs containing potentially sensitive data from unauthorized access, reducing exposure risk via log aggregation or storage.

References