deps(security): bump litellm floor to >=1.83.10 (GHSA-wxxx-gvqv-xp7p / CVE-2026-40217, sandbox escape RCE HIGH 8.8)

[r266-tech]

Summary

Bump litellm floor from >=1.83.7 to >=1.83.10 in pyproject.toml to close GHSA-wxxx-gvqv-xp7p / CVE-2026-40217 (sandbox escape RCE, HIGH 8.8), published 2026-05-11T16:17:23Z.

The current floor 1.83.7 permits installing the vulnerable releases 1.83.7 / 1.83.8 / 1.83.9. The ceiling <1.83.13 is unchanged.

Advisory

• GHSA: GHSA-wxxx-gvqv-xp7p (CVE-2026-40217)
• Severity: HIGH (CVSS 8.8)
• Vulnerable range: >=1.81.8, <1.83.10
• First patched version: 1.83.10 (released 2026-04-27)
• Impact: POST /guardrails/test_custom_code runs user-supplied Python in a hand-rolled sandbox. Bytecode-level escape allows RCE in the proxy process (runs as root in the default Docker image). Reaching the endpoint requires proxy-admin credential. Fix replaces the hand-rolled sandbox with RestrictedPython.

OpenViking deployments that use a proxy-admin credential for ops automation (common pattern) are within blast radius.

Diff

- "litellm>=1.83.7,<1.83.13",
+ "litellm>=1.83.10,<1.83.13",

Resolver viability

Three viable versions remain in the bumped range: 1.83.10, 1.83.11, 1.83.12, all live on PyPI. The ceiling <1.83.13 is preserved from prior intentional ceiling pin (per #1882 precedent and dependabot history of bumping below known-bad upper releases).

Orthogonality with dependabot #1829

Dependabot #1829 (OPEN, 2026-04-30) extends the ceiling <1.83.13 → <1.83.15 but leaves the floor at >=1.83.7. The two PRs are orthogonal — this PR closes the security gap at the floor; #1829 broadens the ceiling. Either can land first; if #1829 lands first, this PR rebases trivially (floor bump independent of ceiling).

Form precedent

Same single-line floor-bump pattern as already merged by qin-ctx:

• deps: bump python-multipart >=0.0.27 (GHSA-pp6c-gr5w-3c5g, CVSS 7.5 DoS) #1877 (python-multipart, MERGED 2026-05-07)
• deps(security): bump litellm floor to >=1.83.7 (5 GHSA: 2 CRITICAL + 3 HIGH) #1882 (litellm 5 GHSAs, MERGED 2026-05-07, same package)
• deps(security): bump langchain-core floor to >=1.3.3 (GHSA-pjwx-r37v-7724, CVSS 8.2 HIGH) #1963 (langchain-core, MERGED 2026-05-11)
• deps(security): bump urllib3 floor to >=2.7.0 (GHSA-mf9v-mfxr-j63j + GHSA-qccp-gfcp-xxvc, HIGH) #1975 (urllib3 2 GHSAs, OPEN 2026-05-12 fresh)

Test plan

• CI passes (pip resolver finds at least one viable litellm in 1.83.10-1.83.12)

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 1975 - Not compliant Non-compliant requirements: Bump urllib3 floor from >=2.6.3 to >=2.7.0 in pyproject.toml Close two HIGH-severity urllib3 advisories 1829 - Not compliant Non-compliant requirements: Update litellm requirement ceiling to <1.83.15 1877 - Fully compliant Compliant requirements: Bump python-multipart floor to >=0.0.27 (already present in diff)

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🏅 Score: 95

🧪 No relevant tests

🔒 Security concerns Urllib3 remains at >=2.6.3, which is vulnerable to two HIGH-severity advisories (GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc) that require >=2.7.0.

✅ No TODO sections

🔀 No multiple PR themes

⚡ Recommended focus areas for review Unaddressed Security Ticket This PR's branch and description focus on litellm, but the provided tickets include urllib3 GHSA-mf9v-mfxr-j63j / GHSA-qccp-gfcp-xxvc which require bumping urllib3 to >=2.7.0. The current diff leaves urllib3 at >=2.6.3, still vulnerable to those HIGH-severity issues. "urllib3>=2.6.3",

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.