Applies to:
- Plan -
- Deployment -
Summary
An implementation bug in Braintrust-maintained LiteLLM instrumentation could cause provider credentials passed directly to LiteLLM calls to be stored in Braintrust span metadata. The GitHub security advisory is the canonical source for affected versions, the trace detection query, workarounds, and technical references. This article answers common questions about the issue.Frequently asked questions
Was this a supply chain attack?
No. This was an implementation bug in Braintrust-maintained LiteLLM instrumentation. We found no compromise of thebraintrust PyPI package, its build or publishing process, LiteLLM, or Braintrust systems.
Which versions were affected?
The issue affectedbraintrust v0.2.0 to v0.27.x. It is fixed in braintrust v0.28.0 and later.
Which instrumentation entry points were affected?
The affected paths were:wrap_litellm()beginning inbraintrust==0.2.0.patch_litellm()beginning inbraintrust==0.3.5.- LiteLLM instrumentation through
auto_instrument()beginning inbraintrust==0.5.2.
What credentials could have been recorded?
Confirmed examples include:- API keys.
- Authorization and API-key headers.
- Azure authentication tokens.
- AWS access keys, secret keys, and session tokens.
- Vertex AI credentials.
Were credentials loaded from environment variables affected?
Credentials obtained by LiteLLM solely through environment variables, global LiteLLM configuration, or a cloud provider’s default credential chain were not captured by this issue because they were not present in the instrumented call arguments.Were credentials sent anywhere other than Braintrust?
The instrumentation included the values in Braintrust span metadata. Normal provider requests were still sent to the provider selected through LiteLLM. We found no evidence that the issue transmitted credentials to any additional third party.How can I check for affected traces?
Follow Check for affected traces in the GitHub security advisory. The query identifies common credential fields without returning their values. Because LiteLLM supports arbitrary provider-specific keyword arguments, the absence of results does not rule out credentials passed through custom argument names.What changed in the fixed version?
The patched release records only an allowlist of known-safe LiteLLM request parameters. Credential fields, headers, transport configuration, and unknown provider-specific arguments are omitted from new span metadata by default.Does upgrading remove existing metadata?
No. Upgrading prevents affected fields from being recorded in new traces, but it does not modify traces already stored.What should I do if I find an affected trace?
Rotate the credential as soon as possible. Then review project access and upgrade every affected application tobraintrust v0.28.0 or later.
What can I do if I cannot upgrade immediately?
Follow the workarounds in the GitHub security advisory. They include using environment-based authentication, configuringbraintrust.set_masking_function(), or disabling LiteLLM instrumentation until you can upgrade.