GHSA-98X5-VQ43-VC5P
Vulnerability from github – Published: 2026-06-26 20:51 – Updated: 2026-06-26 20:51Impact
semantic-router versions 0.1.8 through 0.1.14 declare litellm>=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.
The malicious litellm==1.82.8 wheel ships a litellm_init.pth file that executes on Python interpreter startup — no import required. It collects and exfiltrates:
- Process environment variables
- AWS / GCP / Azure credentials
- SSH keys, Kubernetes configs, shell history
- Database credentials and CI/CD secrets
- Cryptocurrency wallets
Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to https://models.litellm.cloud/.
See upstream: BerriAI/litellm#24512 and CVE-2026-42208.
Patches
Fixed in semantic-router 0.1.15, which raises the floor to litellm>=1.83.7.
Workarounds
If developers cannot upgrade immediately:
- Pin litellm>=1.83.7,!=1.82.8 explicitly in their own project.
- Audit site-packages/ for litellm_init.pth and delete if present.
- Rotate any credentials reachable from environments where an affected install ran.
Credit
Upstream report and triage by the litellm maintainers — see issue #24512.
One caveat before publishing
CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "semantic-router"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.8"
},
{
"fixed": "0.1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T20:51:20Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Impact\nsemantic-router versions 0.1.8 through 0.1.14 declare `litellm\u003e=1.61.3` with no upper bound. During the window in which `litellm==1.82.8` was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.\n\nThe malicious `litellm==1.82.8` wheel ships a `litellm_init.pth` file that executes on Python interpreter startup \u2014 no import required. It collects and exfiltrates:\n- Process environment variables\n- AWS / GCP / Azure credentials\n- SSH keys, Kubernetes configs, shell history\n- Database credentials and CI/CD secrets\n- Cryptocurrency wallets\n\nStage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to `https://models.litellm.cloud/`.\n\nSee upstream: [BerriAI/litellm#24512](https://github.com/BerriAI/litellm/issues/24512) and [CVE-2026-42208](https://www.cve.org/CVERecord?id=CVE-2026-42208).\n\n## Patches\nFixed in **semantic-router 0.1.15**, which raises the floor to `litellm\u003e=1.83.7`.\n\n## Workarounds\nIf developers cannot upgrade immediately:\n- Pin `litellm\u003e=1.83.7,!=1.82.8` explicitly in their own project.\n- Audit `site-packages/` for `litellm_init.pth` and delete if present.\n- Rotate any credentials reachable from environments where an affected install ran.\n\n## Credit\nUpstream report and triage by the litellm maintainers \u2014 see issue [#24512](https://github.com/BerriAI/litellm/issues/24512).\n\nOne caveat before publishing\n\nCVE-2026-42208 specifically names 1.82.8. Pip\u0027s resolver picks \"latest matching\", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI \u2014 not everyone who ever installed 0.1.8\u20130.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.",
"id": "GHSA-98x5-vq43-vc5p",
"modified": "2026-06-26T20:51:20Z",
"published": "2026-06-26T20:51:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aurelio-labs/semantic-router/security/advisories/GHSA-98x5-vq43-vc5p"
},
{
"type": "PACKAGE",
"url": "https://github.com/aurelio-labs/semantic-router"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.