PT-2026-53386 — Pypi Backpropagate

PT-2026-53386 · Pypi · Backpropagate

Publicado

2026-06-29

Atualizado

2026-06-29

CVSS v4.0

9.3

Crítica

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

In backpropagate >= 1.1.0, the optional Reflex web UI (pip install backpropagate[ui], launched via backprop ui) exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push.

The CLI accepts two operator-facing flags intended as security controls:

--auth user:pass — documented as "require HTTP Basic authentication on every request to the UI."
--share — documented as "expose the UI on a public address; requires --auth."

When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE UI AUTH=user:pass to the subprocess that launches the Reflex backend.

The Reflex backend (backpropagate/ui app/**) never reads BACKPROPAGATE UI AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access.

An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP GATE) advertised the contract as enforced.

This advisory is filed primarily because the runtime contradicted an operator-facing security claim. Code-only bugs of comparable shape (auth check missing entirely from a path) would already warrant disclosure; the additional false-promise dimension raises the severity.

Impact

An attacker who reaches the bound port can:

Read uploaded datasets rendered in the UI preview, including content of any JSONL/CSV/TXT file the legitimate operator has uploaded for fine-tuning.
Trigger arbitrary training runs against any base model the operator has installed locally or that can be downloaded from HuggingFace.
Trigger HuggingFace Hub pushes to repositories named via the UI input (subject to the operator's local HF token's scope — typically all repos owned by the operator).
Cause disk-fill DoS via the rx.upload endpoint (no size cap, no extension filter, no per-session count cap in v1.1.0 / v1.1.1).
Read model paths (source model path, dataset path, model, uploaded path) which are user-supplied and bypass the safe path() helper that lives in backpropagate/ui security.py (path validation is dead code on the Reflex surface in v1.1.0 / v1.1.1).

The combination of unauthenticated training control, HF push target spoofing, and path-input traversal makes the affected endpoint suitable for both data exfiltration (reading uploaded training data) and supply-chain attacks (pushing tampered model weights to the operator's HF account).

The local-only default (no --share) reduces exposure to a host-local attacker. The --share flag is documented as a "public URL" feature; operators who used --share --auth user:pass had no warning that the auth half was inert.

Patches

Fixed in v1.2.0 (released 2026-05-23). The patch implements real ASGI middleware via rx.App(api transformer=basic auth transformer) that gates HTTP routes AND the / event WebSocket upgrade. Four modes (no auth local only / token auto / explicit creds / production), HMAC-signed cookie validated PRE-websocket.accept(), Host + Origin allowlists. The middleware ships alongside a 4-layer defense in depth at the cli.py / ui app/app.py / rxconfig.py / env-strip surfaces so direct python -m reflex run invocations (bypassing the CLI guard) also enforce authentication.

Upgrade with:

pip: pip install --upgrade backpropagate
npm: npm install -g @mcptoolshop/backpropagate@latest

Full release notes: https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23

Workarounds

If users cannot upgrade immediately:

Do not pass --auth or --share to backprop ui. Run the UI with no flags (backprop ui); it will bind to localhost and accept any client that can reach 127.0.0.1.
For remote access, use SSH port-forwarding instead of --share:

# On the client:
ssh -L 7860:localhost:7860 <training-host>
# On the server:
backprop ui      # no --share
# Then open http://localhost:7860 in your local browser.

SSH provides the authentication layer the Reflex UI did not. 3. Audit existing deployments. If any host running backpropagate >= 1.1.0 has previously been launched with --share, treat any uploaded training data, model paths, or HF push targets visible in that UI session as potentially exposed. Re-issue HF tokens that have been in use during such sessions.

Binary distribution gap. Standalone binaries (Windows .exe / macOS .app via PyInstaller) failed to build for v1.2.0 and will land in a follow-up patch release. In the interim, users who relied on the v1.1.x binary distribution should install the patched version via pip install backpropagate==1.2.0 to receive the auth-bypass fix. The v1.2.0 PyPI package and @mcptoolshop/backpropagate@1.2.0 npm package both carry the patched code.

Credit

Discovered by the dogfood-swarm Stage A audit on 2026-05-22 (finding ID FRONTEND-A-001, classified CRITICAL). The audit also surfaced contradicting documentation in CHANGELOG / SHIP GATE / README; those were corrected in v1.2.0 alongside the runtime fix.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

PYSEC-2026-291

Produtos afetados

Backpropagate