CVE-2025-11203

UNKNOWN

Published October 29, 2025

CISO Take

LiteLLM's health endpoint leaks API keys to any authenticated user, exposing credentials for every connected LLM provider (OpenAI, Anthropic, Azure OpenAI, etc.). Patch to v1.63.14+ immediately and rotate all API keys stored in your LiteLLM deployment. Audit health endpoint access logs retroactively — if LiteLLM is internet-facing with shared credentials, assume compromise.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade LiteLLM to v1.63.14-stable immediately — this is a targeted fix per release notes. 2. ROTATE: Rotate all API keys stored in LiteLLM configuration post-patch; revoke the old keys at the provider level. 3. AUDIT: Query logs for GET/POST requests to /health endpoint with API_KEY parameter from the past 90 days. 4. RESTRICT: Limit access to the health endpoint via network ACLs or API gateway policies — it should not be publicly reachable. 5. SCOPE: Replace shared high-privilege provider API keys with scoped keys (spending limits, restricted models) to reduce blast radius of future credential leaks. 6. DETECT: Alert on health endpoint access by non-admin authenticated users.

Classification

Data Leakage Data Extraction Auth Bypass API Framework Inference AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security in AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Risk Treatment — Monitoring and Response

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

LiteLLM Information health API_KEY Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LiteLLM. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the API_KEY parameter provided to the health endpoint. The issue results from exposing sensitive information to an unauthorized actor. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26585.

Exploitation Scenario

An attacker with any valid LiteLLM API key — obtained via a phishing campaign targeting a developer, a leaked .env file in a public repo, or a compromised CI/CD secret — authenticates to the LiteLLM proxy and queries the /health endpoint passing their API_KEY. The response returns stored provider credentials (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY) in plaintext. The attacker extracts these keys, establishes direct API access to provider accounts bypassing LiteLLM entirely, and uses them to exfiltrate training data context via inference queries, run unauthorized inference at the victim's expense, or sell the credentials on darknet markets. The original compromised LiteLLM key may never trigger downstream provider alerts.

Weaknesses (CWE)

CWE-200

References

Timeline

Published

October 29, 2025

Last Modified

October 30, 2025

First Seen

October 29, 2025

Back to Threat Feed