CVE-2025-49653 – backend.ai

Package

Manager: pip
Name: backend.ai
Vulnerable Version: >=0 <=25.3.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00059 pctl0.18418

Details

BackendAI vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Exposure of sensitive data in active sessions in Lablup's BackendAI allows attackers to retrieve credentials for users on the management platform.

Metadata

Created: 2025-06-09T18:32:17Z
Modified: 2025-06-11T17:38:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-hxvr-gg2w-j48x/GHSA-hxvr-gg2w-j48x.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-hxvr-gg2w-j48x
Finding: F038
Auto approve: 1