CVE-2025-45809 is a medium-severity SQL injection vulnerability identified in BerriAI litellm version 1.65.4, specifically via the /key/block endpoint. SQL injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly incorporated into SQL queries, allowing an attacker to manipulate the backend database. In this case, the vulnerability allows an unauthenticated remote attacker to inject malicious SQL commands through the /key/block endpoint, which is accessible over the network (AV:N). The attack complexity is low (AC:L), and no privileges are required (PR:N), but user interaction is needed (UI:R), indicating that the attacker must trick a user into triggering the malicious request. The vulnerability impacts confidentiality and integrity (C:L/I:L) but does not affect availability (A:N). The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component without impacting other components. Although no known exploits are currently in the wild, the presence of this vulnerability in a component of BerriAI litellm—a software likely used for AI or machine learning model management or deployment—could allow attackers to extract sensitive data or modify database contents if exploited. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. Given the CVSS score of 5.4, this vulnerability is considered medium severity but should not be underestimated due to the potential for data leakage and integrity compromise.

For European organizations using BerriAI litellm, this vulnerability poses a risk of unauthorized data access and potential data manipulation, which could lead to breaches of sensitive information, including intellectual property or personal data protected under GDPR. The confidentiality impact could result in exposure of proprietary AI model data or user credentials stored in the database. Integrity compromise could lead to corrupted or manipulated data, affecting AI model outputs or business processes relying on this data. Although availability is not directly impacted, the indirect consequences of data manipulation could disrupt operations. Organizations in sectors such as finance, healthcare, and critical infrastructure, which often deploy AI solutions, may face regulatory and reputational damage if exploited. The requirement for user interaction suggests phishing or social engineering might be vectors, increasing the risk in environments with less mature security awareness. The absence of known exploits currently provides a window for proactive mitigation before active exploitation occurs.

1. Immediate mitigation should include restricting access to the /key/block endpoint through network segmentation and firewall rules, limiting exposure to trusted users and systems only. 2. Implement strict input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. 3. Conduct thorough code reviews and penetration testing focused on the /key/block endpoint and other input vectors. 4. Monitor logs for unusual or suspicious SQL query patterns or failed injection attempts. 5. Educate users about phishing and social engineering risks since user interaction is required for exploitation. 6. Engage with BerriAI to obtain patches or updates as soon as they become available and plan for timely deployment. 7. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting this endpoint. 8. Review and audit database permissions to ensure the application uses least privilege principles, limiting the potential damage of a successful injection.