CVE-2025-0330

Summary

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project storing all requests.

Affected Software

VendorProductVersion RangeStatus
berriaiberriai/litellmunspecified <= latestaffected

Weaknesses

  • CWE-1230: CWE-1230 Exposure of Sensitive Information Through Metadata

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References