VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jun 22, 2023· Updated Dec 5, 2024

Insecure sandbox in Backstage Scaffolder plugin

CVE-2023-35926

Description

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been vm2, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@backstage/plugin-scaffolder-backendnpm
< 1.15.01.15.0

Affected products

1

Patches

1
fb7375507d56

feat: replace vm2 sandbox with isolated-vm

https://github.com/backstage/backstageblamJun 15, 2023via ghsa
commit
1 file changed · +1 0
  • plugins/scaffolder-backend/src/lib/templating/SecureTemplater.ts+1 0 modified
    @@ -115,6 +115,7 @@ export class SecureTemplater {
       templateFilters = {},
       templateGlobals = {},
     } = options;
+
     const isolate = new Isolate({ memoryLimit: 128 });
     const context = await isolate.createContext();
     const contextGlobal = context.global;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.