📄 Description (English)
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7.
🤖 AI Executive Summary
LiteLLM versions 1.80.5 to 1.83.6 contain a critical code injection vulnerability in the POST /prompts/test endpoint that allows authenticated users to execute arbitrary code within the proxy process. The vulnerability stems from unsandboxed rendering of user-supplied prompt templates, potentially exposing sensitive credentials and enabling command execution on the host system. This poses significant risk to organizations using LiteLLM as an AI Gateway, particularly those managing multiple LLM provider integrations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 21:37
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations at highest risk include: (1) Financial institutions and SAMA-regulated banks implementing AI-powered customer service and fraud detection systems using LiteLLM; (2) Government agencies under NCA oversight deploying LiteLLM for document processing and citizen services; (3) Healthcare providers using AI gateways for medical record analysis and diagnostics; (4) Energy sector (ARAMCO, utilities) leveraging LLM proxies for operational analytics; (5) Telecom operators (STC, Mobily) using AI gateways for network optimization. The vulnerability is particularly critical for organizations storing provider API keys, database credentials, or classified data in environment variables accessible to the LiteLLM process.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Insurance
E-commerce and Retail
Education and Research
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application: Exploitation of /prompts/test endpoint
T1059 - Command and Scripting Interpreter: Arbitrary code execution via template injection
T1087 - Account Discovery: Enumeration of valid API keys through endpoint testing
T1555 - Credentials from Password Stores: Extraction of API keys from environment variables
T1005 - Data from Local System: Access to sensitive data in process memory
T1021 - Remote Services: Potential lateral movement via compromised proxy process
T1078 - Valid Accounts: Abuse of legitimate API keys for exploitation
T1552 - Unsecured Credentials: Exposure of credentials in environment variables
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all LiteLLM deployments in your environment and verify versions (1.80.5 to 1.83.6 are vulnerable)
2. Restrict network access to LiteLLM proxy endpoints using firewall rules and network segmentation
3. Review API key audit logs for unauthorized /prompts/test endpoint access
4. Rotate all provider API keys, database credentials, and secrets that may have been exposed
PATCHING:
1. Upgrade LiteLLM to version 1.83.7 or later immediately
2. Test the patched version in a staging environment before production deployment
3. Implement automated patching procedures for future LiteLLM updates
COMPENSATING CONTROLS (if immediate patching is not possible):
1. Disable the /prompts/test endpoint at the reverse proxy/load balancer level
2. Implement strict API key validation and rate limiting on all LiteLLM endpoints
3. Run LiteLLM in a containerized environment with minimal privileges and restricted environment variables
4. Monitor process execution and environment variable access using EDR/XDR solutions
DETECTION:
1. Monitor for POST requests to /prompts/test endpoint with suspicious template payloads
2. Alert on any child process spawning from LiteLLM process (python, bash, cmd.exe)
3. Monitor environment variable access and credential exposure in logs
4. Implement SIEM rules to detect template injection patterns (e.g., Jinja2, Mako syntax in prompts)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات LiteLLM في بيئتك والتحقق من الإصدارات (الإصدارات 1.80.5 إلى 1.83.6 معرضة للخطر)
2. قيد الوصول إلى نقاط نهاية وكيل LiteLLM باستخدام قواعد جدار الحماية وتقسيم الشبكة
3. راجع سجلات تدقيق مفاتيح API للوصول غير المصرح به إلى نقطة نهاية /prompts/test
4. قم بتدوير جميع مفاتيح موفري الخدمات وبيانات اعتماد قاعدة البيانات والأسرار التي قد تكون قد تعرضت
التصحيح:
1. قم بترقية LiteLLM إلى الإصدار 1.83.7 أو أحدث على الفور
2. اختبر الإصدار المصحح في بيئة التجميع قبل نشر الإنتاج
3. تنفيذ إجراءات التصحيح الآلي لتحديثات LiteLLM المستقبلية
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل نقطة نهاية /prompts/test على مستوى الوكيل العكسي/موازن التحميل
2. تنفيذ التحقق الصارم من مفاتيح API وتحديد معدل على جميع نقاط نهاية LiteLLM
3. تشغيل LiteLLM في بيئة حاوية بامتيازات محدودة ومتغيرات بيئة مقيدة
4. مراقبة تنفيذ العملية والوصول إلى متغيرات البيئة باستخدام حلول EDR/XDR
الكشف:
1. مراقبة طلبات POST إلى نقطة نهاية /prompts/test بحمولات قالب مريبة
2. تنبيه على أي عملية فرعية تنبثق من عملية LiteLLM (python, bash, cmd.exe)
3. مراقبة الوصول إلى متغيرات البيئة وتعريض بيانات الاعتماد في السجلات
4. تنفيذ قواعد SIEM للكشف عن أنماط حقن القالب (مثل بناء جملة Jinja2 و Mako في المطالبات)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control: Unauthorized code execution violates principle of least privilege
ECC 2024 A.5.2.1 - User Access Management: Authenticated users exploiting endpoint without proper authorization controls
ECC 2024 A.6.1.1 - Cryptography: Exposure of API keys and credentials stored in environment variables
ECC 2024 A.12.2.1 - Logging and Monitoring: Insufficient logging of /prompts/test endpoint access
ECC 2024 A.12.4.1 - Event Logging: Need for detection of suspicious template injection attempts
🔵 SAMA CSF
SAMA CSF ID.AM-2: Asset Management - Inventory and track all LiteLLM deployments
SAMA CSF PR.AC-1: Access Control - Enforce authentication and authorization on proxy endpoints
SAMA CSF PR.AC-3: Access Control - Implement principle of least privilege for process execution
SAMA CSF PR.PT-1: Protection Processes - Patch management and vulnerability remediation
SAMA CSF DE.CM-1: Detection and Analysis - Monitor for unauthorized code execution attempts
SAMA CSF RS.MI-2: Response Mitigation - Credential rotation and incident response procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security: Code injection vulnerability management
ISO 27001:2022 A.5.2 - Information security roles and responsibilities: Secure API endpoint design
ISO 27001:2022 A.6.1 - Cryptography: Protection of API keys and credentials
ISO 27001:2022 A.8.1 - Asset management: Inventory of LiteLLM instances and configurations
ISO 27001:2022 A.8.3 - Media handling: Secure handling of sensitive data in process memory
ISO 27001:2022 A.12.3 - Logging: Comprehensive logging of endpoint access and code execution
ISO 27001:2022 A.12.6 - Management of technical vulnerabilities: Patch management procedures
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches: Timely patching of LiteLLM to version 1.83.7+
PCI DSS 7.1 - Access control: Restrict access to /prompts/test endpoint
PCI DSS 8.1 - User identification: Enforce strong authentication for API key access
PCI DSS 10.2 - Logging: Log all access to sensitive endpoints and credential exposure
📦 Affected Products / CPE 1 entries
litellm:litellm