# litellm — SSRF primitive in custom guardrail `http_request` helper
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: litellm | platform: huntr | repo: BerriAI/litellm | commit: 2026-02-13-scan

````
Repository URL: https://github.com/BerriAI/litellm
Package Manager: pip
Version Affected: latest (observed in 2026-02-13 scan)
Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: High
  User Interaction: None
  Scope: Changed
  Confidentiality: Low
  Integrity: Low
  Availability: Low
Title: Custom guardrail http_request primitive lacks private/internal destination filtering
Impact: In admin-compromise or malicious-admin scenarios, this can expose internal services/metadata and aid lateral movement from the LiteLLM server network context.
Description:

# Description

The custom-code guardrail environment exposes an `http_request` primitive that can issue outbound requests without SSRF controls (no internal-IP denylist/allowlist checks noted in scan). This permits requests to internal addresses if a guardrail author uses attacker-controlled destinations.

This vector is admin-gated (guardrail creation/editing requires admin role), which reduces exploitability but does not remove SSRF risk in compromised-admin scenarios.

# Proof of Concept

1. Log in as admin and create/update custom code guardrail.
2. Use `http_request` primitive with internal target URL.
3. Trigger guardrail execution.
4. Observe successful request to internal destination.

Example target:

```text
http://169.254.169.254/latest/meta-data/
```

Expected vulnerable behavior: guardrail runtime performs request to private/internal URL.

### Impact

In admin-compromise or malicious-admin scenarios, this can expose internal services/metadata and aid lateral movement from the LiteLLM server network context.

### Occurrences

```
Permalink: https://github.com/BerriAI/litellm/blob/main/litellm/proxy/guardrails/custom_code_guardrail.py
Description: custom code guardrail http_request primitive allows outbound requests without internal address restrictions
```

### References

```
URL: https://cwe.mitre.org/data/definitions/918.html
Name: CWE-918: SSRF

URL: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
Name: OWASP SSRF Prevention Cheat Sheet
```

Occurrences:
  Permalink: https://github.com/BerriAI/litellm/blob/main/litellm/proxy/guardrails/custom_code_guardrail.py
  Description: custom code guardrail http_request primitive allows outbound requests without internal address restrictions
References:
  URL: https://cwe.mitre.org/data/definitions/918.html
  Name: CWE-918: SSRF
  URL: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
  Name: OWASP SSRF Prevention Cheat Sheet
````