We use cookies to improve your experience on our site.
AVID-2026-R1644
Description
Exposure of Sensitive Information in berriai/litellm (CVE-2025-0330)
Details
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project storing all requests.
Reason for inclusion in AVID: CVE-2025-0330 describes a software vulnerability in berriai/litellm where proxy_server.py leaks Langfuse API keys during error handling. This is a confidentiality breach (exposure of secrets) in a software component commonly used in AI workflows and pipelines, affecting the software supply chain for general-purpose AI systems. The CVE provides explicit vulnerability details (secret exposure, high severity, CWE-1230) and references, satisfying evidence requirements.
References
Affected or Relevant Artifacts
- Developer: berriai
- Deployer: berriai
- Artifact Details:
| Type | Name |
|---|---|
| System | berriai/litellm |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-1230 | CWE-1230 Exposure of Sensitive Information Through Metadata |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry