[GHSA-h889-475r-wfmm] Backend.AI Missing Authorization vulnerability #6669
+7
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
changed the base branch from
main
to
Yaminyam/advisory-improvement-6669
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Security Advisory GHSA-h889-475r-wfmm for Backend.AI to clarify that the reported vulnerability is a false positive. The advisory now includes a detailed explanation that the vulnerability only exists in misconfigured development setups and not in properly configured production deployments.
Changes:
- Updated the advisory description to explain why this is a false-positive report
- Changed the version range from "last_affected: 25.3.3" to "fixed: 25.19.0"
- Added database_specific field with last_known_affected_version_range
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ], | ||
| "summary": "Backend.AI Missing Authorization vulnerability", | ||
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.", | ||
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", |
There was a problem hiding this comment.
Spelling error: "deplyoment" should be "deployment".
Suggested change
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", | |
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deployment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", |
| ], | ||
| "summary": "Backend.AI Missing Authorization vulnerability", | ||
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.", | ||
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", |
There was a problem hiding this comment.
Both "container port range" and "container port binding address" reference the same GitHub link ending with "#L31". These should likely point to different line numbers in the configuration file, as they describe different configuration settings. Please verify that the line references are correct.
Suggested change
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", | |
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L32 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", |
rapsealk
suggested changes
Jan 19, 2026
rapsealk
left a comment
rapsealk
left a comment
There was a problem hiding this comment.
I've updated BackendAI to Backend.AI.
| ], | ||
| "summary": "Backend.AI Missing Authorization vulnerability", | ||
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.", | ||
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", |
There was a problem hiding this comment.
Suggested change
| "details": "Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", | |
| "details": "Missing Authorization in Lablup's Backend.AI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of Backend.AI.\n\nThis is a false-positive report because our Backend.AI platform is never intended to expose the worker node's container ports directly to the \"outside\" of the cluster.\n \nOn the report, the test was conducted using a local all-in-one setup and \"0.0.0.0\" address to directly access the container's public ports via the port number 30729.\nThere are two problems here:\n0.0.0.0 is routed to the loopback address (127.0.0.1) in most operating systems.\n30729 is within the range of container ports controlled by Backend.AI Agent, which are not intended to be exposed outside the cluster.\nThe default configuration for such single-node all-in-one (for development) setups uses 127.0.0.1 as the binding address of the container's public ports, so if you access the container port from other nodes (not from the local browser), it is not accessible.\nThe location of default dev-setup configurations for reference:\ncontainer port range: \nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (30000 to 31000)\ncontainer port binding address:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/agent/halfstack.toml#L31 (127.0.0.1)\nThe default port range for container applications exposed to outside by Backend.AI App Proxy is 10205 to 10300, providing proper user authentication:\napp proxy worker port range:\nhttps://github.com/lablup/backend.ai/blob/9bc6db46a7cd2850a1f229ebf1bcdfeeb2a3abb1/configs/app-proxy-worker/halfstack.toml#L22 (10205 to 10300)\nWe clarified this fact and cautions to users in our new upcoming release (v25.19) as follows:\nhttps://github.com/lablup/backend.ai/pull/7587\n \nAgain, Backend.AI requires any production deplyoment to have separate networks for cluster's internal communication and public/external access, and all user traffic goes through the App Proxy component which implements the authentication based on web sessions when accessing the container applications.", |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates
Comments
As noted in the added content, this vulnerability is a false positive.
The relevant details have been added to the documentation in version 25.19.0.
lablup/backend.ai#7587