Invia #811290: litellm latest Server-Side Request Forgery (SSRF) (CWE-918)informazioni

Titololitellm latest Server-Side Request Forgery (SSRF) (CWE-918)
Descrizione# Technical Details A Server-Side Request Forgery (SSRF) vulnerability exists in the `load_openapi_spec_async` method in `litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py` of litellm. The application accepts an external `spec_path` URL mapping component for MCP tools loading processes. Waitstates and unvalidated parameter fetching execute a blunt system fetch against the host, breaking boundary restrictions. # Vulnerable Code File: `litellm/proxy/_experimental/mcp_server/openapi_to_mcp_generator.py` Method: `load_openapi_spec_async` Why: Any user authenticating with standard API keys against `/mcp-rest/test/tools/list` can feed `http://` schema values into `spec_path`. Inside the script, `httpx.get(filepath)` executes resolving the remote schema entirely without domain filtering, rebinding mitigation, or private IP sanitization. # Reproduction 1. Form an authenticated HTTP POST invocation passing into `/mcp-rest/test/tools/list`. 2. Bind the inner JSON `spec_path` to loopback targeting a local service (e.g. `"spec_path": "http://internal-service:8080/"`) or Cloud Meta Data endpoints (e.g. `x.x.x.x`). 3. Obtain the returned HTTP 200 payload generated containing internal resource reflections. # Impact - Broad Access into constrained internal domains, databases, microservices, and port systems directly tied to the application wrapper. - Immediate exfiltration vectors for Cloud IAM Metadata mapping tokens if deployed adjacent to instances utilizing standard AWS/GCP access frameworks.
Fonte⚠️ https://gist.github.com/YLChen-007/c1104c529975699ba347feedfbe02c5a
Utente
 Eric-c (UID 96848)
Sottomissione23/04/2026 10:08 (2 mesi fa)
Moderazione20/06/2026 19:12 (2 months later)
StatoAccettato
Voce VulDB372560 [BerriAI litellm fino a 1.82.2 MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async spec_path escalationi di privilegi]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Want to know what is going to be exploited?

We predict KEV entries!