Invia #811291: litellm <= 1.82.2 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)informazioni

Titololitellm <= 1.82.2 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Descrizione# Technical Details An Information Disclosure vulnerability exists in the `ui_view_users` method in `litellm/proxy/management_endpoints/internal_user_endpoints.py` of litellm. The fix for the previous `CVE-2025-0628` improperly registers `/user/filter/ui` inside the `info_routes` mapping namespace in `litellm/proxy/_types.py`. This bypasses strict administrative role evaluation and relies solely on the internal API structure correctly mapping its identity logic, which fails to securely handle the request without asserting ownership. # Vulnerable Code File: `litellm/proxy/management_endpoints/internal_user_endpoints.py` Method: `ui_view_users` Why: Because `/user/filter/ui` runs through the lenient checks of `non_proxy_admin_allowed_routes_check` assigned via the mapped namespace, it bypasses top-level Proxy Admin enforcement completely. Once passed down to the DB handler, there are no filters ensuring the targeted data mapping remains scoped exclusively to the internal role query token—leading to a total unconstrained global dataset query across multi-tenant users. # Reproduction 1. Generate an enterprise role with minimal rights, explicitly restricted to `internal_user_viewer`. 2. Issue a simple HTTP GET pointing toward `/user/filter/ui`. (e.g., `curl -s -X GET "http://localhost:4000/user/filter/ui" -H "Authorization: Bearer <LOW_PRIV_KEY>"`). 3. Experience complete Database exposure detailing across all integrated tables regarding Super Admin arrays and cross-tenant User Identifiers alongside generic mapping fields. # Impact - System-Wide Exposure of administrative user IDs and critical tenant emails. - Targeted enumeration allows focused targeting of privilege pools leveraging exposed administrative UUID mappings, potentially tying into parallel IDOR weaknesses.
Fonte⚠️ https://gist.github.com/YLChen-007/3ace22e33e468d0166fe609c9fdf4184
Utente
 Eric-d (UID 96861)
Sottomissione23/04/2026 10:12 (2 mesi fa)
Moderazione20/06/2026 19:12 (2 months later)
StatoAccettato
Voce VulDB372561 [BerriAI litellm fino a 1.82.2 Incomplete Fix CVE-2025-0628 internal_user_endpoints.py ui_view_users escalationi di privilegi]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Might our Artificial Intelligence support you?

Check our Alexa App!