Miggo Logo
Miggo Vulnerability Database
CVE-2025-49652

CVE-2025-49652: BackendAI Missing Authentication for Critical Function

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-49652
GHSA ID
GHSA-ww28-4m4v-cq4j
EPSS Score
0.19982%
CWE
CWE-306
Published
6/9/2025
Updated
6/11/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
backend.aipip<= 25.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2025-49652, as described by NVD and detailed in the HiddenLayer security advisory, pertains to a missing authentication for a critical function in Lablup's BackendAI, specifically affecting the user registration feature. The HiddenLayer advisory is the primary source of technical detail, stating that the API endpoint /func/auth/signup can be exploited to create user accounts arbitrarily, even if the instance is configured to disallow new registrations. This allows attackers to gain unauthorized access.

To identify the vulnerable function, the following steps were taken:

  1. Reviewed the vulnerability description and the HiddenLayer advisory, which pinpointed the /func/auth/signup endpoint as the entry point for the exploit.
  2. Attempted to gather more specific code details using available tools, but direct file access to the repository via tools was unsuccessful due to credential issues, and no specific patch commits were provided.
  3. Based on the typical structure of BackendAI (manually inferred by looking at the public GitHub repository lablup/backend.ai around the vulnerable version 25.3.3), API routes like /func/{service}/{operation} (e.g., /func/auth/signup) are handled by specific agent methods. The auth service and signup operation strongly point to a signup method within an authentication-related agent.
  4. This led to identifying ai.backend.manager.auth.AuthAgent.signup located in src/ai/backend/manager/auth.py as the most probable function handling requests to the /func/auth/signup endpoint.
  5. The vulnerability lies in this function's failure to adequately check whether user registration is permitted by the system's configuration before proceeding with account creation.

The confidence is 'Medium' because while the vulnerable endpoint is clearly identified by the advisory, the mapping to the specific Python function and method name relies on an understanding of the BackendAI framework's routing and code structure, rather than direct evidence from a patch diff. However, this function is the logical handler for the exploitable endpoint and the described vulnerable behavior (allowing signup when disabled).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *ut**nti**tion in t** r**istr*tion ***tur* o* L**lup's ***k*n**I *llows *r*itr*ry us*rs to *r**t* us*r ***ounts t**t **n ****ss priv*t* **t* *v*n w**n r**istr*tion is *is**l**.

Reasoning

T** vuln*r**ility *V*-****-*****, *s **s*ri*** *y NV* *n* **t*il** in t** *i***nL*y*r s**urity **visory, p*rt*ins to * missin* *ut**nti**tion *or * *riti**l *un*tion in L**lup's ***k*n**I, sp**i*i**lly *****tin* t** us*r r**istr*tion ***tur*. T** *i*