CVE-2025-49653 — BackendAI vulnerable to Exposure of Sensitive Information to an Unauthorized Act

Description

Exposure of sensitive data in active sessions in Lablup's BackendAI allows attackers to retrieve credentials for users on the management platform. NOTE: The maintainers of BackendAI do not consider this report to fit with their threat model and advise users to follow security advice from https://github.com/lablup/backend.ai/pull/7587 in their instances to protect themselves from the conditions that would lead to the situation described in the CVE record.

How to fix CVE-2025-49653

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-49653 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 25.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-49653
PATCHgithub.com/lablup/backend.ai
WEBgithub.com/lablup/backend.ai/pull/7587
WEBhiddenlayer.com/sai_security_advisor/2025-05-backendai-49653
WEB