Change8

v1.85.0-rc.2

📦 litellmView on GitHub →
5 features🐛 32 fixes🔧 9 symbols

Summary

This release focuses heavily on security hardening, fixing multiple SSRF vulnerabilities and tightening access controls across proxy, guardrails, and various clients. It also introduces new model support for Z.AI on Bedrock and enhances Gemini multimodal embedding capabilities.

Migration Steps

  1. If you rely on the signing key for Docker image verification, note that all images are now signed with the key introduced in commit `0112e53`. Update your verification scripts to use the pinned commit hash or the new release tag key path if necessary.

✨ New Features

  • Added support for Z.AI GLM-5 model on Bedrock.
  • Added support for combined multimodal embeddings via nested input for Gemini.
  • Added support for `parallel_tool_calls` to supported parameters for XAI.
  • Added Model Garden OpenAPI support for publisher model IDs in Vertex AI.
  • Defaulted OpenAI path `encoding_format` to `float` for embeddings.

🐛 Bug Fixes

  • Stripped 'openrouter/' prefix from model names.
  • Gemini now returns separate embeddings for multimodal inputs.
  • Removed duplicate definition of `MAX_SIZE_PER_ITEM_IN_MEMORY_CACHE_IN_KB`.
  • Added missing 'zai' (Z.AI / Zhipu AI) provider to Add-Model dropdown in UI.
  • Set `verbose_logger` level when `LITELLM_LOG=INFO` in proxy.
  • Handled raw OpenAI Pydantic `CompletionUsage` in `_set_usage_outputs` for Arize.
  • Passed `output_config` through to backends that accept it for adapters/Vertex AI.
  • Fixed managed file `model_mappings` when router resolves a single deployment dict (batch models with id == model_name).
  • Proxy now routes azure container file requests by decoded deployment.
  • Optimized LiteLLM token verification query.
  • Preserved oauth2 m2m auth for tools routes in MCP.
  • Fixed /metrics hang when `require_auth_for_metrics_endpoint` is true and auth succeeds.
  • Fixed project dropdown being empty for `internal_user` (3 bugs).
  • Blocked path traversal SSRF in BitBucket, Arize Phoenix, and AssemblyAI clients.
  • Scoped `/health` response to caller's models and tidied display fields.
  • Added Your Usage view for admin users on the usage page in UI.
  • Scoped CLI stored token to `base_url` to prevent cross-domain credential leakage.
  • Trigger fallbacks on mid-stream `httpx.TimeoutException`.
  • Implemented targeted per-section writes and dropped `store_model_in_db` gate for /config/update.
  • Closed two unaddressed SSRF cases.
  • Tightened tool permission checks for guardrails.
  • Aligned resource model auth checks in proxy.
  • Returned 503 from /health when targeted model is unhealthy or DB is disconnected.
  • Fixed misplaced import in Lazy OpenAPI Snapshot Test.
  • Tightened managed store access for vector stores.
  • Ensured post call guardrail is called only once.
  • Tightened budget spend admission in proxy.
  • Aligned Bedrock count-tokens endpoint assertions with URL-encoded model ID.
  • Ensured post-call guardrail fires only once.
  • Omitted `system_instruction`/`tools`/`toolConfig` when `cachedContent` is set for Vertex AI.
  • Skipped Personal Budget Hook When Reservation Covers Counter in Proxy.
  • Fixed issue where model name prefix was not stripped for OpenRouter models.

Affected Symbols

BitBucket clientArize Phoenix clientAssemblyAI clientVertex AI backendAzure backend/health endpoint/config/update endpointBedrock count-tokens endpointOpenAI path embedding configuration