Share
## https://sploitus.com/exploit?id=8CE4761E-40E3-5285-948E-9190434686A1
# CVE-2025-11203 – LiteLLM Health Endpoint API_KEY Information Disclosure

> **LiteLLM** (v1.63.14+): The **docker-compose.yml** file contains vulnerable code that allows authenticated users to access API Keys stored in other model configurations. The `api_key` field, which should be removed using the `_clean_endpoint_data()` function, is reportedly leaked in certain code paths.

| Field | Value |
|-------|-------|
| **CVE** | CVE-2025-11203 |
| **ZDI ID** | ZDI-25-929 (ZDI-CAN-26585) |
| **CVSS v3.0** | **3.5 (LOW)** β€” `AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N` |
| **CWE** | CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) |
| **Affected** | LiteLLM ** **Note: Step 1 takes ~60s because LiteLLM probes each upstream model (fake keys cause each connection to time out). The leaked keys appear under `unhealthy_endpoints` since fake keys cannot actually connect to OpenAI/Anthropic. **Fix version prevents leakage:**

```
======================================================================
[FIXED] CVE-2025-11203 β€” Health Endpoint API Key Leak
======================================================================
    No API keys found in response. [+] Expected: keys sanitized by _clean_endpoint_data()
```

---

## Technical Details

### Vulnerability Code

The vulnerability lies in the `_clean_endpoint_data()` function in `litellm/proxy/health_check.py`. This function filters sensitive fields like `api_key` using the `ILLEGAL_DISPLAY_PARAMS` list:

```python
ILLEGAL_DISPLAY_PARAMS = [
    "messages",
    "api_key",
    "prompt",
    "input",
    "vertex_credentials",
    "aws_access_key_id",
    "aws_secret_access_key",
]

def _clean_endpoint_data(endpoint_data: dict, details: Optional[bool] = True):
    return {
        k: v for k, v in endpoint_data.items() if k not in ILLEGAL_DISPLAY_PARAMS
    } if details is not False
else {
    k: v for k, v in endpoint_data.items() if k in MINIMAL_DISPLAY_PARAMS
}
```

In this demonstration, the `"api_key"` was removed from `ILLEGAL_DISPLAY_PARAMS` using `sed`, causing the `/health` response to return the original model configuration. This simulates the situation where the cleanup function is bypassed in certain code paths.

### Impact

- Authenticated low-privilege users can access API Keys stored in all model configurations.
- Leaked credentials can be used to directly call the LLM provider’s API.
- This could lead to further data leaks and account compromises.

---

## Environment

```
CVE-2025-11203/
β”œβ”€β”€ README.md                    # This file
β”œβ”€β”€ docker-compose.yml           # Vulnerable + fixed LiteLLM
β”œβ”€β”€ litellm_config.yaml          # Config with 3 models + API keys
β”œβ”€β”€ requirements.txt             # Python dependencies
β”œβ”€β”€ litellm-vuln/
β”‚   └── Dockerfile               # pip install "litellm[proxy]==1.61.0" + patch
β”œβ”€β”€ exploit/
β”‚   └── exploit.py               # Main exploit script
β”œβ”€β”€ docs/
β”‚   └── advisory.md
└── screenshots/
```

---

## Fix

The vulnerability was fixed in v1.63.14. Ensure that `_clean_endpoint_data()` is called correctly in all health check code paths.

### Mitigations

1. **Upgrade** LiteLLM to **v1.63.14+**.
2. If upgrading is not possible, restrict access to the `/health` endpoint from specific sources.
3. Monitor for abnormal access attempts to health check endpoints.

---

## References

- [ZDI-25-929](https://www.zerodayinitiative.com/advisories/ZDI-25-929/)
- [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-11203)
- [GHSA-w4vf-cc4x-mpjq](https://github.com/advisories/GHSA-w4vf-cc4x-mpjq)
- [LiteLLM v1.63.14 Release Notes](https://docs.litellm.ai/release_notes/v1.63.14-stable)

---

> **Disclaimer:** This content is provided for **educational purposes and authorized security testing only.**