Closed krrishdholakia closed 1 week ago
Hi @krrishdholakia, thank you for letting us know that GHSA-qqcv-vg9f-5rr3 is fixed. I would like to include a fix commit for readers to refer to. Do you know which commit in 1.40.28 is the fix commit?
Hey @shelbyc it was a lot earlier than v1.40.28. If you look at the issue thread on huntr, even they couldn't repro it.
We've had a couple refactors, so it's hard for me to point the fix, but here's the point in code which checks for this - https://github.com/BerriAI/litellm/blob/224148d6133ee50801cb129cbd21ccc213992e25/litellm/proxy/auth/user_api_key_auth.py#L1020
Hi @krrishdholakia! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
Cool, thanks for the info! It looks like https://github.com/BerriAI/litellm/blob/224148d6133ee50801cb129cbd21ccc213992e25/litellm/proxy/auth/user_api_key_auth.py#L1020 was added in 1.40.15 so I set 1.40.15 as the patched version.
Thanks @shelbyc
Updates
Comments This is not a current vulnerability. It's already been fixed. Incorrect report.