SAI Security Advisory

Exposure of sensitive Information allows account takeover

June 9, 2025

Products Impacted

This vulnerability is present in all versions of BackendAI. We tested on version 25.3.3 (commit f7f8fe33ea0230090f1d0e5a936ef8edd8cf9959).

CVSS Score: 8.0

AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE Categorization

CWE-200: Exposure of Sensitive Information

Details

To reproduce this, we started an interactive session

Then, we can read /home/config/environ.txt and read the information.

Timeline

March 28, 2025 — Contacted vendor to let them know we have identified security vulnerabilities and ask how we should report them.

April 02, 2025 — Vendor answered letting us know their process, which we followed to send the report.

April 21, 2025 — Vendor sent confirmation that their security team was working on actions for two of the vulnerabilities and they were unable to reproduce another.

April 21, 2025 — Follow up email sent providing additional steps on how to reproduce the third vulnerability and offered to have a call with them regarding this.

May 30, 2025 — Attempt to reach out to vendor prior to public disclosure date.

June 03, 2025 — Final attempt to reach out to vendor prior to public disclosure date.

June 09, 2025 — HiddenLayer public disclosure.

Project URL

https://www.backend.ai/

https://github.com/lablup/backend.ai

Researcher: Esteban Tonglet, Security Researcher, HiddenLayer
Researcher: Kasimir Schulz, Director, Security Research, HiddenLayer

Related SAI Security Advisory

CVE-2025-62354

November 26, 2025

Allowlist Bypass in Run Terminal Tool Allows Arbitrary Code Execution During Autorun Mode

Cursor

When in autorun mode with the secure ‘Follow Allowlist’ setting, Cursor checks commands sent to run in the terminal by the agent to see if a command has been specifically allowed. The function that checks the command has a bypass to its logic, allowing an attacker to craft a command that will execute non-whitelisted commands.

November 2025
SAI-ADV-2025-012

October 17, 2025

Data Exfiltration from Tool-Assisted Setup

Windsurf

Windsurf’s automated tools can execute instructions contained within project files without asking for user permission. This means an attacker can hide instructions within a project file to read and extract sensitive data from project files (such as a .env file) and insert it into web requests for the purposes of exfiltration.

October 2025