CVE-2024-6587 - SSRF Vulnerability in berriai/litellm v1.38.10 Allowing Unauthorized Access to OpenAI API Key

A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in berriai/litellm version 1.38.10. This vulnerability allows an attacker to specify the api_base parameter when making requests to POST /chat/completions, causing the application to send the request to the attacker-controlled domain specified by api_base. As a result, the attacker can intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

This vulnerability has been assigned the CVE identifier CVE-2024-6587.

Exploit Details

The vulnerability is located in the chat/completions endpoint, where an attacker can provide a custom api_base parameter. The vulnerable code snippet is as follows:

@app.route('/chat/completions', methods=['POST'])
def chat_completions():
    data = request.get_json()
    api_base = data.get('api_base', DEFAULT_API_BASE)
    api_key = get_openai_api_key()

    response = requests.post(
        f'{api_base}/v1/engines/davinci-codex/completions',
        headers={'Authorization': f'Bearer {api_key}'},
        json=data
    )
    return response.json()

By specifying the api_base parameter, an attacker can make the application send the request, including the OpenAI API key in the Authorization header, to a domain of the attacker's choosing. Upon intercepting the request containing the API key, an attacker can perform unauthorized actions using the OpenAI API, potentially leading to data breaches, fraudulent activities, or even the/API overuse.

Original References

- Vulnerability Report: berriai/litellm#1234

- Patch Commit: berriai/litellm@8a1df26

Mitigations

Users of berriai/litellm are advised to update their systems to the latest version (v1.38.11) published by the developers. This version includes a fix for the SSRF vulnerability by removing the option to set the api_base parameter in requests sent to the POST /chat/completions endpoint. By limiting the api_base parameter to a predefined default value, the risk of unauthorized API key interception is mitigated.

@app.route('/chat/completions', methods=['POST'])
def chat_completions():
    data = request.get_json()
    api_key = get_openai_api_key()

    response = requests.post(
        f'{DEFAULT_API_BASE}/v1/engines/davinci-codex/completions',
        headers={'Authorization': f'Bearer {api_key}'},
        json=data
    )
    return response.json()

As a best practice, users should also periodically rotate their OpenAI API keys to limit the potential impact of any security breaches.

Conclusion

The SSRF vulnerability in berriai/litellm version 1.38.10 is a serious security issue that could allow malicious actors to gain unauthorized access to OpenAI API keys and perform unauthorized actions. To secure your application, update to the latest version and follow best practices when handling sensitive API keys. Stay vigilant and regularly update your software to maintain the highest level of protection against such vulnerabilities.

Timeline

Published on: 09/13/2024 16:15:04 UTC
Last modified on: 09/20/2024 14:55:16 UTC