Revert "fix: langfuse trace leak key on model params"

[yuneng-jiang]

Reverts #22188

https://app.circleci.com/pipelines/github/BerriAI/litellm/69346/workflows/b702f2b3-b3a7-4bf3-b6ca-b180b07b5a1c/jobs/1414382/tests

Please take a look at the failing tests when you get a chance

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Building	Preview, Comment	Mar 17, 2026 3:58pm

[greptile-apps]

Greptile Summary

This PR reverts #22188 ("fix: langfuse trace leak key on model params"), which had introduced whitelist-based sanitisation of optional_params before they were forwarded to Langfuse, and a broader scrubbing pass over sensitive metadata keys. The stated reason is a set of failing CI tests linked in the description.

Key changes and concerns:

• langfuse.py – credential leak reintroduced (v1 & v2 paths): The whitelist filter (ModelParamHelper.get_standard_logging_model_parameters) has been removed. Now only secret_fields is popped before optional_params is forwarded to Langfuse as modelParameters. Fields such as api_key, api_base, authorization, and headers — all of which may carry live credentials — can now appear in Langfuse traces. The existing tests test_langfuse_model_parameters_no_secret_leakage and test_langfuse_v2_uses_standard_logging_model_parameters directly assert that these fields must NOT reach Langfuse; this revert breaks both tests.

• litellm_logging.py – incomplete metadata scrubbing: scrub_sensitive_keys_in_metadata previously (a) removed the entire user_api_key_auth object (noted as "contains full auth object with nested credentials"), (b) scrubbed callback_settings from three metadata sub-dicts, and (c) scrubbed the logging key from all three of user_api_key_metadata, user_api_key_auth_metadata, and user_api_key_team_metadata. After this revert only the logging key in user_api_key_metadata is handled; user_api_key_auth, callback_settings, and the other two metadata scopes are all left intact and will reach downstream logging integrations.

• Partial litellm_params["metadata"] write-back: The litellm_params["metadata"] = metadata reassignment is now inside a conditional block, so when user_api_key_metadata is absent the mutation is never written back — a logic regression relative to the original code.

Recommendation: Rather than a full revert, identify the specific tests that were failing and fix the filtering logic to accommodate them while keeping the security protections in place. The whitelist approach in ModelParamHelper could be extended, or the specific params causing test failures could be explicitly allow-listed, without abandoning all credential filtering.

Confidence Score: 1/5

• Not safe to merge — this revert reintroduces credential leakage (API keys, auth headers, full auth objects) into Langfuse traces and other logging integrations.
• Two independent P0 security regressions: (1) raw optional_params including api_key/authorization/headers forwarded to Langfuse modelParameters in both v1 and v2 logging paths, and (2) user_api_key_auth (full auth object with nested credentials) and callback_settings are no longer scrubbed from logging metadata. Existing unit tests explicitly cover these scenarios and would fail with these changes.
• Both changed files require attention: litellm/integrations/langfuse/langfuse.py (credential leak in modelParameters) and litellm/litellm_core_utils/litellm_logging.py (incomplete metadata scrubbing).

Important Files Changed

Filename	Overview
litellm/integrations/langfuse/langfuse.py	Reverts whitelist-based model-parameter sanitisation; raw optional_params (including api_key, authorization, headers) are now forwarded to Langfuse in both v1 and v2 logging paths, reintroducing the credential-leak vulnerability that PR #22188 fixed.
litellm/litellm_core_utils/litellm_logging.py	scrub_sensitive_keys_in_metadata now omits removal of user_api_key_auth, callback_settings, and logging scrubbing for user_api_key_auth_metadata / user_api_key_team_metadata, reintroducing credential exposure in all logging integrations.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[LiteLLM request completes] --> B[Logging handler collects kwargs]
    B --> C[optional_params extracted]
    C --> D{This PR: pop secret_fields only}
    D --> E[optional_params still contains:\napi_key, api_base,\nauthorization, headers]
    E --> F[Passed as modelParameters\nto Langfuse v1 & v2]
    F --> G[🚨 Credentials stored\nin Langfuse trace]

    B --> H[scrub_sensitive_keys_in_metadata]
    H --> I{user_api_key_metadata?}
    I -- yes --> J[Scrub 'logging' key only\nin user_api_key_metadata]
    I -- no --> K[No-op]
    J --> L[user_api_key_auth NOT removed\ncallback_settings NOT removed\nother metadata fields NOT scrubbed]
    L --> G

    style G fill:#f55,color:#fff
    style D fill:#ffa500,color:#000
    style L fill:#ffa500,color:#000

Loading

_{Last reviewed commit: 467706e}

[greptile-apps]

Credential leak in Langfuse v1 model parameters

After this revert, the raw optional_params dict (with only secret_fields popped) is passed directly to Langfuse as modelParameters. Fields like api_key, api_base, authorization, and headers can still leak to Langfuse traces.

The existing test test_langfuse_model_parameters_no_secret_leakage explicitly verifies that these fields must NOT appear in the logged parameters:

# Sensitive params that must NOT leak
"api_key": "sk-secret-key-12345",
"api_base": "https://my-private-endpoint.com",
"authorization": "Bearer sk-another-secret",
"headers": {"X-Api-Key": "secret-header-value"},

Popping only secret_fields is insufficient — these other keys will still pass through to Langfuse. The whitelist approach from ModelParamHelper.get_standard_logging_model_parameters() was what prevented leakage of all non-standard keys.

[greptile-apps]

Credential leak in Langfuse v2 model parameters

Same credential leak issue as the v1 path: optional_params is passed directly to Langfuse's generation() without whitelist filtering. Fields such as api_key, authorization, and headers present in optional_params will be recorded in Langfuse traces.

The removed logic previously fell back to ModelParamHelper.get_standard_logging_model_parameters() when no standard_logging_object was available, providing a last-resort sanitisation layer. That safety net no longer exists.

[greptile-apps]

Multiple sensitive metadata fields no longer scrubbed

The original scrub_sensitive_keys_in_metadata removed three categories of sensitive data that are no longer handled after this revert:

1. user_api_key_auth entire key — the old code explicitly called metadata.pop("user_api_key_auth", None) with the comment "contains full auth object with nested credentials". That object (a UserAPIKeyAuth instance) may include team secrets, org tokens, and other nested credentials. It is no longer removed.

2. callback_settings — removed from all three metadata fields (user_api_key_metadata, user_api_key_auth_metadata, user_api_key_team_metadata) previously. These can contain callback API keys (e.g., Langfuse secret keys). Only user_api_key_metadata is touched now, and only the logging key, not callback_settings.

3. user_api_key_auth_metadata and user_api_key_team_metadata — the logging key inside these two fields is no longer scrubbed. This means per-team / per-key logging credentials could reach Langfuse.

Additionally, the litellm_params["metadata"] = metadata write-back is now inside the if "user_api_key_metadata" in metadata block. If the incoming metadata dict was resolved via the or {} fallback (i.e., it's a freshly allocated dict), any mutations will not be persisted back to litellm_params when user_api_key_metadata is absent.