STAR Labs — Four Full-Chain LiteLLM Exploits Across Versions
AI relevance: LiteLLM sits at the core of AI model routing and authentication for thousands of production deployments — four independent exploit chains escalating from internal user keys to server RCE reveal the fragility of this critical middleware.
What happened
- STAR Labs researchers targeted LiteLLM as a Pwn2Own Berlin 2026 entry under the new Local Inference Category, developing four complete exploit chains across versions 1.82.3 through 1.83.14.
- Each chain escalates from an internal user key to server-side remote code execution (RCE), using different vulnerability combinations as the vendor rapidly patched between versions.
- Version 1.82.3: Researchers used Claude 4.6 Opus to assist code auditing and discovered an authentication bypass on database unavailability — any exception in the auth builder routes to a fallback handler, allowing pre-auth exploitation without any valid credentials.
- Version 1.83.7: After the first bypass was patched, researchers identified a new path using SSRF-to-RCE through LiteLLM's model provider URL configuration, chaining internal network access to command execution.
- Version 1.83.10: A third chain exploited insecure deserialization in LiteLLM's logging pipeline, where user-controlled data in log metadata could trigger arbitrary object instantiation.
- Version 1.83.14: The fourth chain targeted a path traversal in file upload handling combined with a race condition in LiteLLM's hot-reload mechanism to achieve code execution on the host.
- After BerriAI rebuilt their release pipeline (CI/CD v2 with isolated builds, stronger gates, and signed images), the researchers documented all four chains in a public write-up.
Why it matters
- LiteLLM processes authentication, routing, and billing across hundreds of LLM providers — a compromise grants lateral movement across the entire AI model infrastructure of any organization using it.
- The rapid iteration of patches (four full-chain exploits across four consecutive versions) shows how difficult it is to secure a complex middleware layer under active attack.
- The use of Claude 4.6 Opus for vulnerability discovery demonstrates that AI-assisted security research is producing results at pace — both defenders and attackers now have access to the same tools.
- LiteLLM's 95 million monthly downloads make any vulnerability in the library a potential mass-impact event, as demonstrated by the Mercor breach.
What to do
- Update LiteLLM to the latest version and verify that no older, vulnerable versions are deployed in any environment (production, staging, CI/CD, or dev).
- Isolate LiteLLM deployments from sensitive host resources — run in containers with minimal filesystem access and network egress controls.
- Monitor for anomalous database connection failures, which could trigger the auth bypass fallback path in older versions.
- Enable signed releases and verify LiteLLM package checksums before deployment; prefer container images with verified signatures.