Backstage, an open-source toolkit originally developed by Spotify, has a vulnerability that could allow remote code execution, cloud security firm Oxeye reported. (Photo by Spencer Platt/Getty Images)Cloud security firm Oxeye reported that its research team was able to gain remote code execution (RCE) in a popular cloud development toolkit called Backstage.Originally started by Spotify and is now open-sourced on GitHub, Backstage is an open platform for building developer portals. In a Nov. 15 blog post, Oxeye researchers said they were able to gain remote code execution (RCE) by “exploiting a VM sandbox escape through the vm2 third-party library.” The vulnerability has a CVSS score of 9.8 and was reported to Spotify, which patched the RCE in version 1.5.1.
Besides Spotify, Oxeye said American Airlines, Netflix and Splunk are just some of the organizations that use Backstage to integrate systems such as Prometheus, Jira and ElasticSearch, which can “compromise those services and the data they hold.” As noted by Sophos’ Naked Security blog, the “Backstage RCE depends on a sequence of coding flaws that ultimately depend on a specific bug, designated CVE-2022-36067 in a supply-chain component that Backstage relies on called vm2,” which was reported by Oxeye in August and patched by the vm2 team.
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.
GitHub Action attack initially set sights on Coinbase Cybersecurity Dive reports that major U.S. cryptocurrency exchange Coinbase was disclosed by Palo Alto Networks Unit 42 and Wiz researchers to have been originally targeted by the supply chain compromise that was eventually aimed at the GitHub Action tj-actions/changed-files, tracked as CVE-2025-30066.
While nearly a third of such attempts involved vulnerability checks and system reconnaissance commands, almost 5% of the attacks have been launched to facilitate XMRig cryptocurrency miner delivery.