← Signals
- floci
- vtl
- aws-emulator
- rce
- exploitarium
news
Floci 1.5.27 API Gateway VTL RCE + IAM Scope Bypass
Velocity templates in Floci API Gateway integration responses reach ProcessBuilder; wrong SigV4 credential scope bypasses IAM enforcement.
Summary
Velocity templates in Floci API Gateway integration responses reach ProcessBuilder; wrong SigV4 credential scope bypasses IAM enforcement. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | Floci 1.5.27 |
| Primitive | VTL reflection + SigV4 scope service-name mapping failure |
| Impact | OS command execution as Floci JVM; IAM deny policies bypassed with iam scope on apigateway routes. |
Attack Chain
Create REST API → malicious responseTemplates → deploy → invoke OR scope=iam on control plane
Mitigation
Do not expose Floci API to untrusted networks; enable IAM enforcement with correct scope validation.