Cross-Tenant Data Leakage in AWS Bedrock's Custom Model Fine-Tuning Service
Overview
A high-severity information disclosure vulnerability was discovered in the AWS Bedrock fine-tuning service. The flaw stemmed from a race condition and improper memory cleanup on the underlying shared GPU infrastructure used for training jobs. When multiple fine-tuning jobs from different AWS customers (tenants) were scheduled back-to-back on the same physical GPU, it was possible for a subsequent job to access residual data left in the GPU's VRAM from the previous job. A malicious actor could start a fine-tuning job with a specially crafted model and dataset designed to read and record the entire contents of VRAM at the start of its execution. If timed correctly, this could capture fragments of the dataset belonging to the previous tenant's fine-tuning job. This exposed sensitive, proprietary data that customers were using to train their custom models, including PII, financial data, and corporate trade secrets. The vulnerability was discovered and reported responsibly by a cloud security firm, and AWS has since patched the issue.
Affected Systems
Testing Guide
This vulnerability could not be tested or verified by external customers due to its dependency on the internal workings of the AWS scheduler and infrastructure. Verification was performed by AWS internal security teams and the reporting third-party research firm. 1. **Check AWS Communication:** Review your AWS Health Dashboard and security bulletins for notifications related to CVE-2025-45882 to confirm the issue is resolved in your region.
Mitigation Steps
1. **No Customer Action Required:** AWS has deployed a mandatory, server-side patch that resolves this issue for all customers. 2. **Data Minimization:** As a general best practice, review and sanitize all datasets before uploading them for fine-tuning, removing any sensitive information that is not strictly necessary for the training task. 3. **Review AWS Security Bulletins:** Regularly check AWS security bulletins for your services to stay informed about platform-level vulnerabilities and patches.
Patch Details
AWS deployed a server-side patch globally on 2025-11-19. The fix enforces strict GPU memory zeroing and improved job scheduling isolation between tenants' workloads.