CVE-2023-35926: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2023-35926) affects the Backstage scaffolder-backend plugin, which was discovered in June 2023. The issue stems from an insecure sandbox implementation in the templating library that uses vm2, which has known vulnerabilities. The vulnerability affects versions prior to 1.15.0 of @backstage/plugin-scaffolder-backend (GitHub Advisory).

The vulnerability is related to the templating library's sandbox implementation in the Backstage scaffolder-backend plugin. The plugin previously used vm2 for sandboxing, which was found to have multiple vulnerabilities. The issue has been assigned a CVSS v3.1 base score of 8.0 HIGH (according to GitHub) and 9.9 CRITICAL (according to NVD), with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

A malicious actor with write access to a registered scaffolder template could exploit this vulnerability to achieve remote code execution on the scaffolder-backend instance. The vulnerability is specifically exploitable through the template YAML definition and not through user input data (GitHub Advisory).

The vulnerability has been fixed in version 1.15.0 of @backstage/plugin-scaffolder-backend by replacing the vm2 sandbox with isolated-vm. The new implementation significantly improves sandbox security by building upon v8 isolates directly. Organizations are advised to control access and perform manual reviews of changes to scaffolder templates as per the Backstage Threat Model (GitHub Release, GitHub Advisory).