Technical description
LiteLLM, a widely-used proxy server and AI gateway for calling LLM APIs, is vulnerable to SQL injection in its proxy API-key verification logic. The vulnerability exists because a caller-supplied Authorization header value is mixed into a database query as text rather than passed as a parameterized value, and this vulnerable query is reachable through the proxy's error-handling path.
Attack vector
Unauthenticated. An attacker crafts a malicious Authorization header and sends it to any LLM API route exposed by the LiteLLM proxy, such as POST /chat/completions. The malformed header triggers an error-handling path that executes a vulnerable SQL query incorporating the attacker's input. Successful exploitation allows reading from, and potentially modifying, the proxy's database — including credentials, API keys, routing configurations, and usage logs managed by the gateway.
Affected systems
LiteLLM versions 1.81.16 through all versions prior to 1.83.7. Particularly critical in agentic deployments where LiteLLM acts as a central gateway between agents, models, tools, and enterprise credentials.
Mitigation
Upgrade to LiteLLM version 1.83.7 immediately. Rotate all proxy API keys and downstream LLM provider credentials if compromise is suspected. Harden AI-gateway infrastructure by applying least-privilege database roles, isolating tenant data, enabling query logging, and monitoring for failed authorization attempts. Treat AI gateways as privileged infrastructure and include them in external attack-surface management and anomaly detection.