Spotify Backstage, an open-source platform used to build developer portals and in use at a number of large companies, has been found vulnerable to a critical remote code execution vulnerability. Confirming that most vulnerabilities are found in indirect dependencies, the Backstage vulnerability is enabled by another vulnerability found in its JavaScript VM2 sandbox dependency.
The Backstage vulnerability was discovered by the Oxeye research team and received a CVSS score of 9.8.
An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a VM22 sandbox escape in the Scaffolder core plugin.
The exploit consists in overriding the renderString
function used by Backstage template engine error handling component to cause the execution of arbitrary code. As the Oxeye team showed, the exploit can be executed in the wild as well, although this only seems to be possible when using Backstage default authentication configuration, which basically resorts to no authentication.
When trying to send requests directly to the backend API server of some of the internet-exposed instances, we found a handful did not require any form of authentication or authorization. Thus we concluded the vulnerability could be exploited without authentication on many instances.
Besides updating to the latest Backstage version as soon as possible, the Oxeye team also advised to choose wisely any template engines you may use, specifically privileging "logic-less" template engines such as Mustache. Logic-less template engines can indeed avoid the introduction of server-side template injection vulnerabilities like in Backstage case.
As mentioned, the Backstage vulnerability was enabled by a remote code execution vulnerability in the VM2 sandbox dependency, a popular library with about 16 million downloads a month. VM2 provides a trusted environment to run untrusted code with the ability to whitelist built-in modules that can be accessed as well as to securely call methods and exchange data across sandboxes.
The CVE-2022-36067 vulnerability affecting VM2 was also discovered by the Oxeye research team and promptly patched.