Skip to content

fix: avoid vulnerable LiteLLM versions#113

Open
DougButdorf wants to merge 3 commits into
cisco-ai-defense:mainfrom
DougButdorf:fix/litellm-cve-2026-42208
Open

fix: avoid vulnerable LiteLLM versions#113
DougButdorf wants to merge 3 commits into
cisco-ai-defense:mainfrom
DougButdorf:fix/litellm-cve-2026-42208

Conversation

@DougButdorf

@DougButdorf DougButdorf commented May 15, 2026
edited
Loading

Copy link
Copy Markdown

Summary

  • Rebase on current upstream main.
  • Keep upstream's existing pyproject.toml / uv.lock LiteLLM fix: litellm>=1.83.7,<2, lockfile litellm==1.83.14.
  • Update the Homebrew formula resource from vulnerable litellm-1.83.0 to non-vulnerable litellm-1.83.14.

Why

GitHub advisory GHSA-r75f-5x8p-qvmc / CVE-2026-42208 affects LiteLLM >=1.81.16, <1.83.7. The formula resource was still vendoring 1.83.0, which is inside that range.

Verification

  • Confirmed no conflict markers.
  • Confirmed no vulnerable LiteLLM range remains in pyproject.toml, uv.lock, or Formula/skill-scanner.rb.
  • uv run --python 3.13 pytest -q
  • Result: 1300 passed, 5 skipped, 20 warnings.

@DougButdorf DougButdorf force-pushed the fix/litellm-cve-2026-42208 branch from 1cf84ea to 8643604 Compare May 15, 2026 17:38
@joshlembergtrimble

joshlembergtrimble commented May 22, 2026
edited
Loading

Copy link
Copy Markdown

The current LiteLLM version is causing breaking changes in our systems using this repo. Can we get this reviewed and merged? I see @vineethsai7 has contributed to this repo a lot recently, and @sanket-mendapara as well, maybe they can review?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DougButdorf @joshlembergtrimble