CVE-2024-4890

Advisory

Affected versions of Litellm are vulnerable to blind SQL Injection. This vulnerability in the '/team/update' endpoint allows attackers to inject malicious SQL commands through the 'user_id' parameter, potentially leading to unauthorized access to sensitive data including API keys, user information, and tokens. The flaw stems from improper handling of user input in raw SQL queries. The patch replaces vulnerable raw SQL queries with parameterized queries using Prisma ORM, effectively preventing SQL injection attacks.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2
• https://github.com/BerriAI/litellm/commit/fa2d9002b5190c0c6f74c02ce5713ec258ae6b33
• https://github.com/BerriAI/litellm/pull/2954
• https://github.com/advisories/GHSA-8j42-pcfm-3467
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4890