Invia #811286: litellm <= 1.82.2 Missing Authentication for Critical Function (CWE-306)informazioni

Titololitellm <= 1.82.2 Missing Authentication for Critical Function (CWE-306)
Descrizione# Technical Details A Missing Authentication vulnerability exists in the `debug_sso_login` and `debug_sso_callback` methods in `litellm/proxy/management_endpoints/ui_sso.py` of litellm. The framework exposes Single Sign-On (SSO) troubleshooting endpoints without protecting them through the standard `Depends(user_api_key_auth)` restriction. This allows unauthenticated external attackers to bypass general proxy rules and receive raw HTML renders of the Identity Provider claims (including credentials). # Vulnerable Code File: `litellm/proxy/management_endpoints/ui_sso.py` Method: `debug_sso_login`, `debug_sso_callback` Why: Both diagnostic route handles entirely lack route checking parameters or global permission guards. Furthermore, `return_raw_sso_response=True` overrides standard payload filtration blocks (like `_OAUTH_TOKEN_FIELDS`), meaning direct authentication tokens (`access_token`, `id_token`) leak straight into the debug template. To worsen matters, the template embeds this using `json.dumps()` into a `<script>`, bypassing HTML sanitation and allowing generic Cross-Site Scripting (XSS). # Reproduction 1. Have an SSO Identity integration connected to a target LiteLLM instance. 2. From an unauthenticated terminal session, trigger `GET http://localhost:4000/sso/debug/login`. Note the immediate 303 Redirect bypassing any API 401 challenges. 3. Traverse the UI-based Identity sign-in window. 4. View the returned callback dump yielding the internal user UUIDs, Team IDs, and full SSO raw tokens directly on the screen. # Impact - Massive Information Leakage surrounding internal user structures. - Direct compromise of User Identity assertions regarding OAuth mechanisms via token dumping. - Possible Stored XSS leading to active Administrative Session hijacks if the Identity scope handles arbitrary username values injected with `<script>` tags.
Fonte⚠️ https://gist.github.com/YLChen-007/9b13c75a3a73187a4082cc6df0b100d3
Utente
 Eric-c (UID 96848)
Sottomissione23/04/2026 10:06 (2 mesi fa)
Moderazione20/06/2026 19:12 (2 months later)
StatoAccettato
Voce VulDB372557 [BerriAI litellm fino a 1.82.2 SSO Debug Flow ui_sso.py json.dumps autenticazione debole]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!