CVE-2025-0330: LiteLLM Has a Leakage of Langfuse API Keys

March 20, 2025

In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project storing all requests.

References

github.com/BerriAI/litellm
github.com/advisories/GHSA-879v-fggm-vxw2
huntr.com/bounties/661b388a-44d8-4ad5-862b-4dc5b80be30a
nvd.nist.gov/vuln/detail/CVE-2025-0330

Code Behaviors & Features

Detect and mitigate CVE-2025-0330 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →