GCP Cloud Composer Vulnerability Exposed Privilege Escalation Risk via Malicious PyPI Packages
A recently patched security flaw in Google Cloud Platform (GCP)‘s Cloud Composer service has raised serious concerns among cybersecurity professionals. The vulnerability, discovered by researchers at Tenable, could have enabled threat actors to escalate privileges through the injection of malicious Python packages, potentially compromising a range of GCP services.
What is Cloud Composer and Why Is It Important?
Cloud Composer is GCP’s managed workflow orchestration service built on Apache Airflow. It allows users to author, schedule, and monitor workflows. Due to its integrations with other GCP services, any security issue in Cloud Composer can have far-reaching implications.
Introducing “ConfusedComposer”
The newly disclosed vulnerability, internally dubbed ConfusedComposer, is a privilege escalation vulnerability that targeted Cloud Composer environments. According to Liv Matan, Senior Security Researcher at Tenable, attackers with edit permissions on Cloud Composer environments could manipulate the system to gain access to the default Cloud Build service account.
This service account holds elevated permissions across core GCP services, including:
-
Cloud Build
-
Cloud Storage
-
Artifact Registry
By exploiting ConfusedComposer, attackers could move laterally across services and gain unauthorized access to sensitive data.
How the Exploit Works
The attack method relied on the ability to upload custom PyPI packages. Since Cloud Composer supports custom package installation, a malicious actor could inject a PyPI package containing a script designed to execute during installation. This script would then interact with Cloud Build using elevated privileges, leading to a full privilege escalation.
Tenable characterized this vulnerability as a variant of a previous flaw named ConfusedFunction, which affected GCP Cloud Functions in a similar way.
A Pattern of Inherited Vulnerabilities
This is not an isolated issue. It follows the trend of vulnerabilities like ImageRunner, another flaw discovered by Tenable, which affected GCP Cloud Run. These incidents highlight the “Jenga effect” — a security concept where newer cloud services inherit vulnerabilities from the foundational services they are built upon.
Real-World Impact
If exploited successfully, ConfusedComposer could allow attackers to:
-
Steal confidential data
-
Disrupt cloud-based services
-
Insert backdoors into CI/CD pipelines
-
Maintain persistent access to compromised environments
Matan noted that this vulnerability highlights the risks of inter-service trust assumptions in cloud ecosystems.
Google’s Response and Mitigation
Following responsible disclosure by Tenable, Google officially patched the vulnerability on April 13, 2025. The company replaced the default Cloud Build service account with the environment’s own service account for installing PyPI packages.
Key mitigation steps include:
-
Cloud Composer 2 environments using version 2.10.2 and later already include this fix.
-
Cloud Composer 3 environments were not impacted, as they have always used the environment’s service account.
Broader Context: Other Cloud Vulnerabilities Surface
The Cloud Composer issue isn’t the only cloud security concern making headlines recently. Several high-impact vulnerabilities have emerged across different cloud platforms:
1. Microsoft Azure SQL Server Flaw
Varonis Threat Labs disclosed a vulnerability affecting Azure SQL Servers. The Destructive Stored URL Parameter Injection allowed privileged users to manipulate firewall rule names via T-SQL, potentially leading to widespread data deletion. Microsoft patched the issue on April 9, 2025.
2. Microsoft Entra ID Bug
Datadog Security Labs reported a flaw in Microsoft Entra ID’s restricted administrative units. This bug enabled a privileged attacker to protect user accounts under their control, even from Global Administrators. The vulnerability was addressed by Microsoft on February 22, 2025.
3. AWS EC2 SSRF Exploits
Threat actors are increasingly targeting Amazon EC2 instances through Server-Side Request Forgery (SSRF). These exploits focus on extracting sensitive metadata, including IAM credentials, from EC2’s instance metadata service. According to F5 Labs, such data is highly valuable to attackers and can lead to further compromise.
Latest Posts
GCP Cloud Composer Vulnerability Exposed Privilege Escalation Risk via Malicious PyPI Packages
GCP Cloud Composer Vulnerability Exposed Privilege Escalation Risk via Malicious PyPI Packages A recently patched security flaw in Google Cloud Platform (GCP)'s Cloud Composer service has raised serious concerns among [...]
AI Boom Fuels the Next Wave of Cloud Storage Growth
AI Boom Fuels the Next Wave of Cloud Storage Growth AI Boom Fuels the Next Wave of Cloud Storage Growth A recent global survey conducted by Recon Analytics, on behalf [...]
Love in the Cloud: How Technology Keeps Relationships Connected
Love in the Cloud: How Technology Keeps Relationships Connected Love in the Cloud: How Technology Keeps Relationships Connected Valentine’s Day is often associated with romantic dinners, flowers, and handwritten love [...]
Cybersecurity in 2025: Enhancing Safety in the Cloud
Cybersecurity in 2025: Enhancing Safety in the Cloud Introduction: Rising Cybersecurity Challenges As we step into 2025, cybersecurity remains a top priority for businesses and individuals alike. With cyber threats [...]
Exploring the Tech Frontier in 2025: The Nintendo Switch and Quantum Technology
Exploring the Tech Frontier in 2025: The Nintendo Switch and Quantum Technology Introduction: A New Era of Gaming Technology As 2025 unfolds, the tech world is abuzz with exciting developments, [...]
Reflecting on 2024
Reflecting on 2024 – Top 10 IT Innovations Reflecting on 2024 – Top 10 IT Innovations As the year draws to a close, we at Hot Pink Tech Services want to [...]
