GHSA-xqmj-j6mv-4862: LiteLLM: Server-Side Template Injection in /prompts/test endpoint

April 24, 2026

The POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.

The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host.

Proxy deployments running an affected version are in scope.

References

github.com/BerriAI/litellm
github.com/BerriAI/litellm/releases/tag/v1.83.7-stable
github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862
github.com/advisories/GHSA-xqmj-j6mv-4862

Code Behaviors & Features

Detect and mitigate GHSA-xqmj-j6mv-4862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →