Spotify’s Backstage has been found as susceptible to a extreme safety flaw that might be exploited to achieve distant code execution by leveraging a not too long ago disclosed bug in a third-party module.
The vulnerability (CVSS rating: 9.8), at its core, takes benefit of a crucial sandbox escape in vm2, a well-liked JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that got here to mild final month.
“An unauthenticated risk actor can execute arbitrary system instructions on a Backstage software by exploiting a vm2 sandbox escape within the Scaffolder core plugin,” software safety agency Oxeye mentioned in a report shared with The Hacker News.
Backstage is an open supply developer portal from Spotify that enables customers to create, handle, and discover software program elements from a unified “entrance door.” It’s utilized by many firms like Netflix, DoorDash, Roku, and Expedia, amongst others.
According to Oxeye, the flaw is rooted in a instrument known as software program templates that can be utilized to create elements inside Backstage.
 |
| Screenshot reveals Backstage calling the renderTemplate perform (that calls renderString2) twice within the occasion of an error. |
While the template engine makes use of vm2 to mitigate the chance related to operating untrusted code, the sandbox escape flaw within the latter made it attainable to execute arbitrary system instructions outdoors of the safety perimeter.
Oxeye mentioned it was in a position to establish greater than 500 publicly-exposed Backstage situations on the web, which might then be remotely weaponized by an adversary with out requiring any authorization.
Following accountable disclosure on August 18, the problem was addressed by the venture maintainers in model 1.5.1 launched on August 29, 2022.
“The root of any template-based VM escape is gaining JavaScript execution rights inside the template,” the Israeli firm famous. “By utilizing ‘logic-less’ template engines resembling Mustache, you possibly can keep away from introducing server-side template injection vulnerabilities.”
“Separating the logic from the presentation as a lot as attainable can significantly cut back your publicity to probably the most harmful template-based assaults,” it additional added.