CVE-2024-9606
Published: 20 March 2025
Summary
CVE-2024-9606 is a high-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Litellm Litellm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 43.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires filtering sensitive information like unmasked API keys from log outputs to prevent leakage in logging mechanisms.
Mandates defining and coordinating audit record content to exclude or properly mask sensitive API keys, addressing the improper logging flaw.
Protects audit logs containing potentially sensitive data from unauthorized access, reducing exposure risk via log aggregation or storage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability leaks nearly full API keys in application logs due to improper masking, facilitating theft of application access tokens (T1528) and unsecured credentials in files (T1552.001).
NVD Description
In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs,…
more
exposing a significant amount of the secret key. The issue affects version v1.44.9.
Deeper analysisAI
CVE-2024-9606 is a logging vulnerability in the berriai/litellm Python library, specifically affecting versions before 1.44.12, with the issue confirmed in v1.44.9. Located in the file `litellm/litellm_core_utils/litellm_logging.py`, the flaw stems from API key masking logic that obscures only the first five characters of the key, resulting in logs that expose nearly the entire secret. This improper output neutralization (CWE-116) and improper encoding (CWE-117) carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact.
The vulnerability enables exploitation by any attacker who gains access to the application's logs, such as through log aggregation systems, shared storage, or compromised logging endpoints. No privileges, user interaction, or special conditions are required beyond log visibility, which is often granted to developers, operators, or external monitoring services. Successful exploitation allows extraction of almost complete API keys, potentially granting unauthorized access to downstream services proxied by LiteLLM, such as LLM providers, leading to unauthorized API usage, data exfiltration, or further compromise.
Mitigation is addressed in the GitHub commit 9094071c4782183e84f10630e2450be3db55509a, which fixes the masking logic in LiteLLM version 1.44.12 and later. Security practitioners should upgrade affected installations immediately and review historical logs for exposed keys. The issue was reported via Huntr (bounty ID 4a03796f-a8d4-4293-84ef-d3959456223a), emphasizing proactive auditing of logging mechanisms in LLM proxy deployments.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- LiteLLM (berriai/litellm) is a library providing a unified SDK for calling 100+ LLM APIs (e.g., OpenAI, Anthropic), making it directly related to APIs and models in the AI ecosystem.