Impact
semantic-router versions 0.1.8 through 0.1.14 declare litellm>=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.
The malicious litellm==1.82.8 wheel ships a litellm_init.pth file that executes on Python interpreter startup — no import required. It collects and exfiltrates:
- Process environment variables
- AWS / GCP / Azure credentials
- SSH keys, Kubernetes configs, shell history
- Database credentials and CI/CD secrets
- Cryptocurrency wallets
Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to https://models.litellm.cloud/.
See upstream: BerriAI/litellm#24512 and CVE-2026-42208.
Patches
Fixed in semantic-router 0.1.15, which raises the floor to litellm>=1.83.7.
Workarounds
If developers cannot upgrade immediately:
- Pin
litellm>=1.83.7,!=1.82.8 explicitly in their own project.
- Audit
site-packages/ for litellm_init.pth and delete if present.
- Rotate any credentials reachable from environments where an affected install ran.
Credit
Upstream report and triage by the litellm maintainers — see issue #24512.
One caveat before publishing
CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.
References
Impact
semantic-router versions 0.1.8 through 0.1.14 declare
litellm>=1.61.3with no upper bound. During the window in whichlitellm==1.82.8was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.The malicious
litellm==1.82.8wheel ships alitellm_init.pthfile that executes on Python interpreter startup — no import required. It collects and exfiltrates:Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to
https://models.litellm.cloud/.See upstream: BerriAI/litellm#24512 and CVE-2026-42208.
Patches
Fixed in semantic-router 0.1.15, which raises the floor to
litellm>=1.83.7.Workarounds
If developers cannot upgrade immediately:
litellm>=1.83.7,!=1.82.8explicitly in their own project.site-packages/forlitellm_init.pthand delete if present.Credit
Upstream report and triage by the litellm maintainers — see issue #24512.
One caveat before publishing
CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.
References