One of Spotify's biggest projects had a rather critical security flaw

Close of computer hacking
(Image credit: Tima Miroshnichenko from Pexels)

Backstage, Spotify’s open platform project for building developer portals was carrying a high-severity vulnerability that allowed potential threat actors to remotely execute unauthenticated code in the project. The flaw was discovered by cloud-native application security providers Oxeye, and was subsequently patched by Spotify.

Users are urged to update Backstage to version 1.5.1, which fixes the issue.

Explaining how they discovered the vulnerability, Oxeye’s researchers said they exploited a VM sandbox escape through the third-party library in vm2, resulting in the ability to conduct unauthenticated remote code execution. 

Template-based attacks

“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” said Yuval Ostrovsky, Software Architect for Oxeye. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”

"What caught our attention in this case were Backstage software templates and the potential for template-based attacks,” said Daniel Abeles, Head of Research at Oxeye. “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”

Backstage’s goal is to streamline development environment by unifying all infrastructure tooling, services, and documentation. According to Oxeye, it has more than 19,000 stars on GitHub, making it one of the most popular open-source platforms for building developer portals. Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, and Palo Alto Networks, are just some of the companies using Backstage. 

Further explaining the problem and potential remedies, the researchers said the root of a template-based VM escape was able to gain JavaScript execution rights within the template. Logic-less template engines such as Mustache prevent the introduction of server-side template injection, thus eliminating the issue, it was explained. 

“If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
WordPress
Another top WordPress plugin found carrying critical security flaws
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why