Skip to content

semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin

Critical severity GitHub Reviewed Published May 23, 2026 in aurelio-labs/semantic-router • Updated Jun 26, 2026

Package

semantic-router (pip)

Affected versions

>= 0.1.8, < 0.1.15

Patched versions

0.1.15

Description

Impact

semantic-router versions 0.1.8 through 0.1.14 declare litellm>=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.

The malicious litellm==1.82.8 wheel ships a litellm_init.pth file that executes on Python interpreter startup — no import required. It collects and exfiltrates:

  • Process environment variables
  • AWS / GCP / Azure credentials
  • SSH keys, Kubernetes configs, shell history
  • Database credentials and CI/CD secrets
  • Cryptocurrency wallets

Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to https://models.litellm.cloud/.

See upstream: BerriAI/litellm#24512 and CVE-2026-42208.

Patches

Fixed in semantic-router 0.1.15, which raises the floor to litellm>=1.83.7.

Workarounds

If developers cannot upgrade immediately:

  • Pin litellm>=1.83.7,!=1.82.8 explicitly in their own project.
  • Audit site-packages/ for litellm_init.pth and delete if present.
  • Rotate any credentials reachable from environments where an affected install ran.

Credit

Upstream report and triage by the litellm maintainers — see issue #24512.

One caveat before publishing

CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.

References

@jamescalam jamescalam published to aurelio-labs/semantic-router May 23, 2026
Published to the GitHub Advisory Database Jun 26, 2026
Reviewed Jun 26, 2026
Last updated Jun 26, 2026

Severity

Critical

EPSS score

Weaknesses

Embedded Malicious Code

The product contains code that appears to be malicious in nature. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-98x5-vq43-vc5p

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.