Critical RCE Flaw Reported in Spotify’s Backstage Software Catalog and Developer Platform

Teilen:

Spotify’s Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module.

The vulnerability (CVSS score: 9.8), at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that came to light last month.

“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin,” application security firm Oxeye said in a Bericht shared with The Hacker News.

Backstage is an open source developer portal from Spotify that allows users to create, manage, and explore software components from a unified “front door.” It’s used by many companies like Netflix, DoorDash, Roku, and Expedia, among others.

According to Oxeye, the flaw is rooted in a tool called software templates that can be used to create components within Backstage.

Bild6 6
Screenshot shows Backstage calling the renderTemplate function (that calls renderString2) twice in the event of an error.

While the template engine utilizes vm2 to mitigate the risk associated with running untrusted code, the sandbox escape flaw in the latter made it possible to execute arbitrary system commands outside of the security perimeter.

Oxeye said it was able to identify more than 500 publicly-exposed Backstage instances on the internet, which could then be remotely weaponized by an adversary without requiring any authorization.

Following responsible disclosure on August 18, the issue was addressed by the project maintainers in version 1.5.1 released on August 29, 2022.

“The root of any template-based VM escape is gaining JavaScript execution rights within the template,” the Israeli company noted. “By using ‘logic-less’ template engines such as Mustache, you can avoid introducing server-side template injection vulnerabilities.”

“Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks,” it further added.

https://thehackernews.com/2022/11/critical-rce-flaw-reported-in-spotifys.html

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
8:38 am, Juli 10, 2025
Wetter-Symbol 22°C
L: 20° | H: 24°
klarer Himmel
Luftfeuchtigkeit: 67 %
Druck: 1023 mb
Wind: 3 mph NW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 6%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:55 am
Sonnenuntergang: 9:16 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
20° | 24°°C 0 mm 0% 7 mph 68 % 1023 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
20° | 31°°C 0 mm 0% 8 mph 69 % 1021 mb 0 mm/h
Sa. Juli 12 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 10 mph 73 % 1018 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
18° | 31°°C 0 mm 0% 5 mph 64 % 1015 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
20° | 29°°C 1 mm 100% 15 mph 81 % 1018 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
21° | 23°°C 0 mm 0% 5 mph 68 % 1023 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
24° | 29°°C 0 mm 0% 5 mph 59 % 1023 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
28° | 31°°C 0 mm 0% 6 mph 43 % 1022 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
29° | 29°°C 0 mm 0% 7 mph 32 % 1020 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 7 mph 58 % 1021 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
20° | 20°°C 0 mm 0% 4 mph 64 % 1021 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
20° | 20°°C 0 mm 0% 3 mph 69 % 1021 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
21° | 21°°C 0 mm 0% 3 mph 64 % 1021 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€94,849.40
2.38%
Ethereum(ETH)
€2,394.22
6.98%
Fesseln(USDT)
€0.85
0.02%
XRP(XRP)
€2.08
4.79%
Solana(SOL)
€134.95
3.51%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.155099
5.81%
Shiba Inu(SHIB)
€0.000010
4.71%
Pepe(PEPE)
€0.000009
8.95%
Nach oben scrollen