[+] LiteLLM Authorization-token SQL injection reproduction [+] This runs real LiteLLM proxy processes and sends network requests to GET /model/info. [+] Cache directory: /data/pruva/project-cache/ea84d142-3b88-4e3b-ad6b-a004b7386804 [+] Reusing LiteLLM checkout at /data/pruva/project-cache/ea84d142-3b88-4e3b-ad6b-a004b7386804/repo [+] PostgreSQL binaries: /usr/lib/postgresql/18/bin [+] Starting PostgreSQL on 127.0.0.1:36549 [+] PostgreSQL is ready [+] Reusing database litellm_repro_vuln [+] Reusing database litellm_repro_fixed [+] Reusing venv litellm_vuln_1_83_6 with litellm==1.83.6 [+] Reusing venv litellm_fixed_1_83_7 with litellm==1.83.7 [+] Prisma schema already present in litellm_repro_vuln; skipping slow db push [+] Prisma schema already present in litellm_repro_fixed; skipping slow db push [+] Verified package delta: vulnerable raw SQL interpolation vs fixed parameter binding [+] Starting LiteLLM 1.83.6 on 127.0.0.1:58155 using DB litellm_repro_vuln [+] Waiting for LiteLLM proxy on port 58155...................................................................................... ready (HTTP 401) [+] Creating one valid virtual key through the running proxy [+] Baseline: unknown non-sk token should be rejected quickly by vulnerable proxy [+] Baseline vulnerable response: time=0.013450s status=401 [+] Exploit: sending SQL payload in Authorization Bearer token to vulnerable proxy [+] Vulnerable injection response: time=3.012161s status=200 [+] Starting LiteLLM 1.83.7 on 127.0.0.1:54393 using DB litellm_repro_fixed [+] Waiting for LiteLLM proxy on port 54393........................................................................................ ready (HTTP 401) [+] Creating one valid virtual key through the running proxy [+] Negative control: sending the identical SQL payload to fixed proxy [+] Fixed injection response: time=0.015421s status=401 { "baseline_rejected": true, "vulnerable_delayed": true, "vulnerable_auth_bypassed": true, "fixed_rejected": true, "fixed_not_delayed": true, "pglog_contains_injected_sleep": true, "pglog_contains_fixed_parameter": true } [+] Wrote runtime manifest { "entrypoint_kind": "endpoint", "entrypoint_detail": "GET /model/info with attacker-controlled Authorization Bearer token", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "postgresql", "litellm-proxy" ], "proof_artifacts": [ "logs/reproduction_steps.log", "logs/source_delta.txt", "logs/proxy_vulnerable.log", "logs/proxy_fixed.log", "logs/postgres_repro.log", "logs/vuln_key_generate.json", "logs/fixed_key_generate.json", "logs/baseline_unknown.txt", "logs/vulnerable_injection.txt", "logs/fixed_injection.txt", "repro/result.txt" ], "notes": "Vulnerable LiteLLM 1.83.6 accepted a remote GET /model/info request with an injected Authorization token, PostgreSQL executed pg_sleep(3) from the interpolated WHERE clause, and the endpoint returned 200. LiteLLM 1.83.7 bound the same token as a positional SQL parameter, returned 401, and did not delay." } [+] CONFIRMED [+] Wrote runtime manifest { "entrypoint_kind": "endpoint", "entrypoint_detail": "GET /model/info with attacker-controlled Authorization Bearer token", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "postgresql", "litellm-proxy" ], "proof_artifacts": [ "logs/reproduction_steps.log", "logs/source_delta.txt", "logs/proxy_vulnerable.log", "logs/proxy_fixed.log", "logs/postgres_repro.log", "logs/vuln_key_generate.json", "logs/fixed_key_generate.json", "logs/baseline_unknown.txt", "logs/vulnerable_injection.txt", "logs/fixed_injection.txt", "repro/result.txt" ], "notes": "Vulnerable LiteLLM 1.83.6 accepted a remote GET /model/info request with an injected Authorization token, PostgreSQL executed pg_sleep(3) from the interpolated WHERE clause, and the endpoint returned 200. LiteLLM 1.83.7 bound the same token as a positional SQL parameter, returned 401, and did not delay." }