[Bug]: /user/list shows everyone's password

[xmcp]

What happened?

Any internal_user_viewer user can GET /user/list, which returns the password field for all users including admins.

Although this field may be hashed by SHA256, an attacker can directly use this to log into the UI, as implemented in login.

This is definitely a vulnerability but I will just post it here since it is too trivial for anyone to find.

Other endpoints such as /user/info also return the password field, so we'd better fix them as well.

Relevant log output

N/A

Are you a ML Ops Team?

Yes

What LiteLLM version are you on ?

main

Twitter / LinkedIn details

No response

[chrisranderson]

In which version was this introduced?

Any internal_user_viewer user can GET /user/list

FWIW, the docstring for get_users says "Currently - admin-only endpoint." I didn't see where that's enforced from a quick look.

[xmcp]

@chrisranderson Seems that there are lots of checking in route_checks.py but unfornately checks for /user/list are missing.

FYI, I am using nginx to workaround this vulnerability by enforcing additional route checking:

upstream litellm {
    server ...;
}
map $auth_result $litellm_only_admin {
    admin litellm;
    default litellm/404;
}

server {
    # llm api routes
    location ~ ^(/v\d+)?/(chat/|images/|audio/|batches/|files/|completions$|embeddings$|models$) {
        proxy_pass http://litellm;
        proxy_buffering off;
    }
    
    # ui routes
    location ~ ^/(login|ui/.*|sso/get/ui_settings|team/list|user/info|global/spend/(logs|keys|models|provider)|global/activity(/model)?|(model|model_group)/info)$ {
        include includes/auth.conf;
        proxy_pass http://litellm;
    }
    
    # allow admin user to view all routes
    location / {
        include includes/auth.conf;
        proxy_pass http://$litellm_only_admin;
    }

    ...
}