OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • floci
  • vtl
  • aws-emulator
  • rce
  • exploitarium

news

Floci 1.5.27 API Gateway VTL RCE + IAM Scope Bypass

Velocity templates in Floci API Gateway integration responses reach ProcessBuilder; wrong SigV4 credential scope bypasses IAM enforcement.

Summary

Velocity templates in Floci API Gateway integration responses reach ProcessBuilder; wrong SigV4 credential scope bypasses IAM enforcement. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetFloci 1.5.27
PrimitiveVTL reflection + SigV4 scope service-name mapping failure
ImpactOS command execution as Floci JVM; IAM deny policies bypassed with iam scope on apigateway routes.

Attack Chain

Create REST API → malicious responseTemplates → deploy → invoke OR scope=iam on control plane

Mitigation

Do not expose Floci API to untrusted networks; enable IAM enforcement with correct scope validation.

Related Signals

Sources

→ Source