Platform
python
Component
backend-ai
Fixed in
25.15.6
CVE-2025-49652 is a critical vulnerability affecting Lablup's BackendAI versions up to and including 22.3.0. This vulnerability stems from a missing authentication check within the registration feature, enabling unauthorized users to create accounts. Successful exploitation can lead to unauthorized access to sensitive private data, even when registration is intentionally disabled, posing a significant risk to data confidentiality.
The impact of CVE-2025-49652 is severe due to the ease of exploitation and the potential for widespread data compromise. An attacker can bypass registration controls and create arbitrary user accounts, effectively gaining access to data protected by those controls. This could include sensitive user information, proprietary business data, or other confidential resources stored within BackendAI. The lack of authentication means no verification is performed before account creation, making it trivial for an attacker to gain a foothold. This vulnerability could be leveraged for data exfiltration, account takeover, or even to gain administrative privileges depending on the account permissions assigned.
CVE-2025-49652 was publicly disclosed on 2025-06-09. The vulnerability's simplicity and potential impact suggest a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (POC) code has been released as of this writing, but the ease of exploitation makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49652 is to immediately upgrade BackendAI to version 25.15.6 or later, which includes the necessary authentication fix. If an immediate upgrade is not feasible, consider temporarily disabling the registration feature within BackendAI to prevent new account creation. While not a complete solution, this can reduce the attack surface. Review existing user accounts for any suspicious activity and consider implementing multi-factor authentication (MFA) for all existing accounts to add an additional layer of security. Monitor BackendAI logs for unusual account creation patterns.
Update BackendAI to the latest available version. If no version is available, temporarily disable the user registration feature or implement robust authentication for the registration process. See the HiddenLayer advisory for more details and potential mitigations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49652 describes a missing authentication check in BackendAI's registration feature, allowing unauthorized account creation and potential access to private data.
You are affected if you are using BackendAI versions 22.3.0 or earlier. Upgrade to 25.15.6 to resolve the vulnerability.
Upgrade BackendAI to version 25.15.6 or later. As a temporary workaround, disable the registration feature until the upgrade can be performed.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it likely that exploitation attempts will occur. Monitor security advisories for updates.
Refer to the official Lablup security advisories page for the latest information and updates regarding CVE-2025-49652.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.