HiddenLayer, a Gartner recognized Cool Vendor for AI Security, is the leading provider of Security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise’s AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft’s Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.
Jun 09, 2025
Missing Authorization for Interactive Sessions
CVE Number
CVE-2025-49651
Summary
BackendAI interactive sessions do not verify whether a user is authorized and doesn’t have authentication. These missing verifications allow attackers to take over the sessions and access the data (models, code, etc.), alter the data or results, and stop the user from accessing their session.
Products Impacted
This vulnerability is present in all versions of BackendAI. We tested on version 25.3.3 (commit f7f8fe33ea0230090f1d0e5a936ef8edd8cf9959).
CVSS Score: 8.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE Categorization
CWE-862: Missing authorization
Details
When a user starts an interactive session, a web terminal gets exposed to a random port. A threat actor can scan the ports until they find an open interactive session and access it without any authorization or prior authentication.
To reproduce this, we created a session with all settings set to default.
Then, we accessed the web terminal in a new tab
However, while simulating the threat actor, we access the same URL in an “incognito window” — eliminating any cache, cookies, or login credentials — we can still reach it, demonstrating the absence of proper authorization controls.
Improper access control arbitrary allows account creation
CVE Number
CVE-2025-49652
Summary
By default, BackendAI doesn’t enable account creation. However, an exposed endpoint allows anyone to sign up with a user-privileged account. This flaw allows threat actors to initiate their own unauthorized session and exploit the resources—to install cryptominers, use the session as a malware distribution endpoint—or to access exposed data through user-accessible storages.
Products Impacted
This vulnerability is present in all versions of BackendAI. We tested on version 25.3.3 (commit f7f8fe33ea0230090f1d0e5a936ef8edd8cf9959).
CVSS Score: 9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE Categorization
CWE-284: Improper Access Control
Details
To sign up, an attacker can use the API endpoint /func/auth/signup. Then, using the login credentials, the attacker can access the account.
To reproduce this, we made a Python script to reach the endpoint and signup. Using those login credentials on the endpoint /server/login we get a valid session. When running the exploit, we get a valid AIOHTTP_SESSION cookie, or we can reuse the credentials to log in.
We can then try to login with those credentials and notice that we successfully logged in
Exposure of sensitive Information allows account takeover
CVE Number
CVE-2025-49653
Summary
By default, BackendAI’s agent will write to /home/config/ when starting an interactive session. These files are readable by the default user. However, they contain sensitive information such as the user’s mail, access key, and session settings. A threat actor accessing that file can perform operations on behalf of the user, potentially granting the threat actor super administrator privileges.
Products Impacted
This vulnerability is present in all versions of BackendAI. We tested on version 25.3.3 (commit f7f8fe33ea0230090f1d0e5a936ef8edd8cf9959).
CVSS Score: 8.0
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE Categorization
CWE-200: Exposure of Sensitive Information
Details
To reproduce this, we started an interactive session
Then, we can read /home/config/environ.txt and read the information.
Timeline
March 28, 2025 — Contacted vendor to let them know we have identified security vulnerabilities and ask how we should report them.
April 02, 2025 — Vendor answered letting us know their process, which we followed to send the report.
April 21, 2025 — Vendor sent confirmation that their security team was working on actions for two of the vulnerabilities and they were unable to reproduce another.
April 21, 2025 — Follow up email sent providing additional steps on how to reproduce the third vulnerability and offered to have a call with them regarding this.
May 30, 2025 — Attempt to reach out to vendor prior to public disclosure date.
June 03, 2025 — Final attempt to reach out to vendor prior to public disclosure date.
June 09, 2025 — HiddenLayer public disclosure.
