## https://sploitus.com/exploit?id=8CE4761E-40E3-5285-948E-9190434686A1
# CVE-2025-11203 β LiteLLM Health Endpoint API_KEY Information Disclosure
> **LiteLLM** (v1.63.14+): The **docker-compose.yml** file contains vulnerable code that allows authenticated users to access API Keys stored in other model configurations. The `api_key` field, which should be removed using the `_clean_endpoint_data()` function, is reportedly leaked in certain code paths.
| Field | Value |
|-------|-------|
| **CVE** | CVE-2025-11203 |
| **ZDI ID** | ZDI-25-929 (ZDI-CAN-26585) |
| **CVSS v3.0** | **3.5 (LOW)** β `AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N` |
| **CWE** | CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) |
| **Affected** | LiteLLM ** **Note: Step 1 takes ~60s because LiteLLM probes each upstream model (fake keys cause each connection to time out). The leaked keys appear under `unhealthy_endpoints` since fake keys cannot actually connect to OpenAI/Anthropic. **Fix version prevents leakage:**
```
======================================================================
[FIXED] CVE-2025-11203 β Health Endpoint API Key Leak
======================================================================
No API keys found in response. [+] Expected: keys sanitized by _clean_endpoint_data()
```
---
## Technical Details
### Vulnerability Code
The vulnerability lies in the `_clean_endpoint_data()` function in `litellm/proxy/health_check.py`. This function filters sensitive fields like `api_key` using the `ILLEGAL_DISPLAY_PARAMS` list:
```python
ILLEGAL_DISPLAY_PARAMS = [
"messages",
"api_key",
"prompt",
"input",
"vertex_credentials",
"aws_access_key_id",
"aws_secret_access_key",
]
def _clean_endpoint_data(endpoint_data: dict, details: Optional[bool] = True):
return {
k: v for k, v in endpoint_data.items() if k not in ILLEGAL_DISPLAY_PARAMS
} if details is not False
else {
k: v for k, v in endpoint_data.items() if k in MINIMAL_DISPLAY_PARAMS
}
```
In this demonstration, the `"api_key"` was removed from `ILLEGAL_DISPLAY_PARAMS` using `sed`, causing the `/health` response to return the original model configuration. This simulates the situation where the cleanup function is bypassed in certain code paths.
### Impact
- Authenticated low-privilege users can access API Keys stored in all model configurations.
- Leaked credentials can be used to directly call the LLM providerβs API.
- This could lead to further data leaks and account compromises.
---
## Environment
```
CVE-2025-11203/
βββ README.md # This file
βββ docker-compose.yml # Vulnerable + fixed LiteLLM
βββ litellm_config.yaml # Config with 3 models + API keys
βββ requirements.txt # Python dependencies
βββ litellm-vuln/
β βββ Dockerfile # pip install "litellm[proxy]==1.61.0" + patch
βββ exploit/
β βββ exploit.py # Main exploit script
βββ docs/
β βββ advisory.md
βββ screenshots/
```
---
## Fix
The vulnerability was fixed in v1.63.14. Ensure that `_clean_endpoint_data()` is called correctly in all health check code paths.
### Mitigations
1. **Upgrade** LiteLLM to **v1.63.14+**.
2. If upgrading is not possible, restrict access to the `/health` endpoint from specific sources.
3. Monitor for abnormal access attempts to health check endpoints.
---
## References
- [ZDI-25-929](https://www.zerodayinitiative.com/advisories/ZDI-25-929/)
- [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-11203)
- [GHSA-w4vf-cc4x-mpjq](https://github.com/advisories/GHSA-w4vf-cc4x-mpjq)
- [LiteLLM v1.63.14 Release Notes](https://docs.litellm.ai/release_notes/v1.63.14-stable)
---
> **Disclaimer:** This content is provided for **educational purposes and authorized security testing only.**