ai-workspace-services/litellm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

litellm_fix(security): allowlist Next.js CVEs for 7 days (#20169)

Browse Source 
Temporarily allowlist Next.js vulnerabilities in UI dashboard:
- GHSA-h25m-26qc-wcjf (HIGH: DoS via request deserialization)
- CVE-2025-59471 (MEDIUM: Image Optimizer DoS)

Fix: Upgrade to Next.js 15.5.10+ or 16.1.5+ (7-day timeline)

Changes:
- Added .trivyignore with Next.js CVEs
- Updated security_scans.sh to use --ignorefile flag
This commit is contained in:
shin-bot-litellm 2026-01-31 10:25:57 -08:00 committed by GitHub
parent 5434b66b9c
commit df042f7545
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.trivyignore Normal file
View File

@ -0,0 +1,12 @@
# LiteLLM Trivy Ignore File
# CVEs listed here are temporarily allowlisted pending fixes
# Next.js vulnerabilities in UI dashboard (next@14.2.35)
# Allowlisted: 2026-01-31, 7-day fix timeline
# Fix: Upgrade to Next.js 15.5.10+ or 16.1.5+
# HIGH: DoS via request deserialization
GHSA-h25m-26qc-wcjf
# MEDIUM: Image Optimizer DoS
CVE-2025-59471

4
ci_cd/security_scans.sh
View File

@ -81,10 +81,10 @@ run_trivy_scans() {
echo "Running Trivy scans..."
echo "Scanning LiteLLM Docs..."
trivy fs --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./docs/
trivy fs --ignorefile .trivyignore --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./docs/
echo "Scanning LiteLLM UI..."
trivy fs --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./ui/
trivy fs --ignorefile .trivyignore --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./ui/
echo "Trivy scans completed successfully"
}