LiteLLM: Authentication Bypass via Host Header Injection
- When
- Where
- Global (internet)
- Category
- cyber_advisory · pip
### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()`, which Starlette reconstructs from the `Host` header. A crafted `Host` could therefore make the auth gate evaluate a different route from the one FastAPI dispatched. **Most deployments are not affected.** The bypass is blocked by any upstream layer that validates or normalizes `Host`, such as: - a CDN or WAF, such as Cloudflare - a reverse proxy with `server_name` allowlists - a host-based load balancer **LiteLLM Cloud customers are not affected.** ### Patches Fixed in **`1.84.0`**. Upgrade to `1.84.0` or later. No configuration change is required. ### Workarounds If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the `Host` header before forwarding (a CDN/WAF, a reverse proxy with explicit `server_name` allowlists, or a cloud load balancer with host-based routing rules), or otherwise restrict network access to the proxy listener. ### References - Patched release: [`v1.84.0`](https://github.com/BerriAI/litellm/releases/tag/v1.84.0) **Discovery Credit**: Le The Thang (KCSC) and Kim Ngoc Chung (One Mount Group)
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-16 23:38 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.