Experts found critical RCE in Spotify’s Backstage

Researchers discovered a critical vulnerability impacting Spotify’s Backstage Software Catalog and Developer Platform.

Researchers from the security firm Oxeye discovered a critical Remote Code Execution in Spotify’s Backstage (CVSS Score of 9.8). Backstage is Spotify’s open-source platform for building developer portals, it’s used by a several organizations, including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games.

The issue can be exploited by triggering a recently disclosed VM sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library.

Oxeye researchers reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage development team quickly fixed it with the release of version 1.5.1.

“An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin.” reads the advisory published by Oxeye.

The vulnerability resides in the software templates tools that allow developers to create components in Backstage.

The researchers explained that the template engine utilizes the vm2 library to prevent the execution of untrusted code.

“In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment. As a result, Backstage started using the vm2 JavaScript sandbox library to mitigate this risk.” continues the advisory. “In an earlier research paper, Oxeye found a vm2 sandbox escape vulnerability that results in remote code execution (RCE) on the hosting machine.”

The researchers run a simple query for the Backstage favicon hash in Shodan and discovered more than 500 Backstage instances exposed to the internet.

The experts noticed that Backstage is deployed by default without an authentication mechanism or an authorization mechanism, which allows guest access. Some of the publicly-exposed Backstage instances did not require any authentication. 

Further tests allowed the experts to determine that the vulnerability could be exploited without authentication on many instances. 

“The root of any template-based VM escape is gaining JavaScript execution rights within the template. By using “logic-less” template engines such as Mustache, you can avoid introducing server-side template injection vulnerabilities. Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks.” concludes the report. “For more information about mitigating template-based vulnerabilities, see PortSwigger’s technical advisory. And if you use Backstage with authentication, enable it for both the front and backend.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Spotify’s Backstage)

[adrotate banner=”5″]

[adrotate banner=”13″]