Ddos 
Image: HiddenLayer
Security researchers at HiddenLayer have disclosed a critical privilege escalation vulnerability in Backend.AI, a widely used container-based cluster platform that powers machine learning and high-performance computing workloads. Tracked as CVE-2025-49653, the flaw carries a near-maximum CVSS score of 9.8 and affects all versions of the software.
Backend.AI supports a range of computing frameworks and AI hardware accelerators including CUDA, ROCm, TPUs, and NPUs, making it a go-to solution for AI infrastructure across research labs and enterprise environments. However, the discovery by HiddenLayer raises serious concerns over how the platform handles session initialization and configuration security.
At the core of the issue is Backend.AI’s handling of interactive sessions. When a user initiates a session, the platform writes sensitive configuration files to a globally readable path:
“By default, BackendAI’s agent will write to /home/config/ when starting an interactive session. These files are readable by the default user.”
These files contain key details such as:
- User email address
- Access keys
- Session configuration parameters
“They contain sensitive information such as the user’s mail, access key, and session settings,” HiddenLayer explains.
A local attacker or a malicious user with access to the system could read /home/config/environ.txt and potentially hijack user sessions. Worse, if the compromised user has administrative privileges, the attacker could escalate their privileges to super administrator level.
“A threat actor accessing that file can perform operations on behalf of the user, potentially granting the threat actor super administrator privileges,” the report warns.
HiddenLayer successfully reproduced the vulnerability in Backend.AI version 25.3.3 with the commit, but confirmed that all versions of Backend.AI are affected. The reproduction was straightforward: launch a session, navigate to the config directory, and exfiltrate the session’s environmental data.
“To reproduce this, we started an interactive session. Then, we can read /home/config/environ.txt and read the information,” the report confirms.
While HiddenLayer followed responsible disclosure procedures starting in March 2025, the vendor’s response was disappointing:
- March 28, 2025: Researchers contacted the vendor about the issue.
- April 2, 2025: Vendor responded and outlined their reporting process.
- April 22, 2025: Vendor replied that they “don’t believe these are valid vulnerabilities.”
- Follow-up messages explaining the security implications received no response.
The vendor’s dismissal of the report leaves users exposed, especially in multi-user or shared computing environments.
Donate