Authentication Bypass via Host Header Injection
Summary
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.84.0, This vulnerability is fixed in 1.84.0. A flaw was found in LiteLLM, a proxy server (AI Gateway) used to call Large Language Model (LLM) APIs. A remote attacker could exploit a Host-header parsing vulnerability in the proxy authentication layer. By sending a crafted Host header, an attacker could gain unauthenticated access to protected management routes, potentially leading to full system compromise. The vulnerability is rated with Important severity due to the limited attack surface in our default deployment configuration. While the affected images ship with a vulnerable version of litellm, the specific vulnerability is restricted solely to proxy management-route authentication. By default, these images do not start the LiteLLM proxy server. Instead, the default entrypoints are configured to run OGX, the MLflow server (with the AI Gateway disabled), Garak evaluation jobs, or Lightspeed/Llama Stack APIs. The proxy auth bypass is not reachable unless an administrator separately deploys litellm --config from the container. For Red Hat OpenShift AI and Ansible Automation Platform products, the severity has been set to low since these products include litellm as a dependency in some images but do not run the LiteLLM proxy in default configurations, hence the vulnerable code path is not exposed. Red Hat severity: Important — CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-290. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- To mitigate the risk of unauthenticated access, restrict network access to the LiteLLM proxy's management routes. Configure network firewalls or security groups to permit inbound connections only from trusted internal networks. This operational control limits the exposure of vulnerable endpoints to unauthorized external access. If the LiteLLM proxy is deployed behind a load balancer or API gateway, ensure these components are configured to strictly validate and sanitize the HTTP Host header before forwarding requests.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.