GHSA-98x5-vq43-vc5p

## Impact semantic-router versions 0.1.8 through 0.1.14 declare `litellm>=1.61.3` with no upper bound. During the window in which `litellm==1.82.8` was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.

The malicious `litellm==1.82.8` wheel ships a `litellm_init.pth` file that executes on Python interpreter startup — no import required. It collects and exfiltrates: - Process environment variables - AWS / GCP / Azure credentials - SSH keys, Kubernetes configs, shell history - Database credentials and CI/CD secrets - Cryptocurrency wallets

Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to `https://models.litellm.cloud/`.

See upstream: [BerriAI/litellm#24512](https://github.com/BerriAI/litellm/issues/24512) and [CVE-2026-42208](https://www.cve.org/CVERecord?id=CVE-2026-42208).

## Patches Fixed in **semantic-router 0.1.15**, which raises the floor to `litellm>=1.83.7`.

## Workarounds If developers cannot upgrade immediately: - Pin `litellm>=1.83.7,!=1.82.8` explicitly in their own project. - Audit `site-packages/` for `litellm_init.pth` and delete if present. - Rotate any credentials reachable from environments where an affected install ran.

## Credit Upstream report and triage by the litellm maintainers — see issue [#24512](https://github.com/BerriAI/litellm/issues/24512).

One caveat before publishing

CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.