python · litellmCritical
LiteLLM Proxy Host-Header Parsing Flaw Allows Unauthenticated Access to Management Routes
A Host-header parsing flaw in LiteLLM proxy could allow unauthenticated access to protected management routes under specific conditions.
What changed
A Host-header parsing flaw in LiteLLM proxy could allow unauthenticated access to protected management routes under specific conditions.
Who it affects
Deployments not behind an upstream layer that validates or normalizes the Host header (e.g., CDN, WAF, reverse proxy with server_name allowlists, or host-based load balancer).
What to do today
Upgrade to version 1.84.0 or later immediately. If upgrade is not possible, place the proxy behind an upstream component that validates or normalizes the Host header.
The trail
Collected→
Audited→
Written→
Published