GCP Cloud Composer Vulnerability Exposed Privilege Escalation Risk via Malicious PyPI Packages
A recently patched security flaw in Google Cloud Platform (GCP)‘s Cloud Composer service has raised serious concerns among cybersecurity professionals. The vulnerability, discovered by researchers at Tenable, could have enabled threat actors to escalate privileges through the injection of malicious Python packages, potentially compromising a range of GCP services.
What is Cloud Composer and Why Is It Important?
Cloud Composer is GCP’s managed workflow orchestration service built on Apache Airflow. It allows users to author, schedule, and monitor workflows. Due to its integrations with other GCP services, any security issue in Cloud Composer can have far-reaching implications.
Introducing “ConfusedComposer”
The newly disclosed vulnerability, internally dubbed ConfusedComposer, is a privilege escalation vulnerability that targeted Cloud Composer environments. According to Liv Matan, Senior Security Researcher at Tenable, attackers with edit permissions on Cloud Composer environments could manipulate the system to gain access to the default Cloud Build service account.
This service account holds elevated permissions across core GCP services, including:
-
Cloud Build
-
Cloud Storage
-
Artifact Registry
By exploiting ConfusedComposer, attackers could move laterally across services and gain unauthorized access to sensitive data.
How the Exploit Works
The attack method relied on the ability to upload custom PyPI packages. Since Cloud Composer supports custom package installation, a malicious actor could inject a PyPI package containing a script designed to execute during installation. This script would then interact with Cloud Build using elevated privileges, leading to a full privilege escalation.
Tenable characterized this vulnerability as a variant of a previous flaw named ConfusedFunction, which affected GCP Cloud Functions in a similar way.
A Pattern of Inherited Vulnerabilities
This is not an isolated issue. It follows the trend of vulnerabilities like ImageRunner, another flaw discovered by Tenable, which affected GCP Cloud Run. These incidents highlight the “Jenga effect” — a security concept where newer cloud services inherit vulnerabilities from the foundational services they are built upon.
Real-World Impact
If exploited successfully, ConfusedComposer could allow attackers to:
-
Steal confidential data
-
Disrupt cloud-based services
-
Insert backdoors into CI/CD pipelines
-
Maintain persistent access to compromised environments
Matan noted that this vulnerability highlights the risks of inter-service trust assumptions in cloud ecosystems.
Google’s Response and Mitigation
Following responsible disclosure by Tenable, Google officially patched the vulnerability on April 13, 2025. The company replaced the default Cloud Build service account with the environment’s own service account for installing PyPI packages.
Key mitigation steps include:
-
Cloud Composer 2 environments using version 2.10.2 and later already include this fix.
-
Cloud Composer 3 environments were not impacted, as they have always used the environment’s service account.
Broader Context: Other Cloud Vulnerabilities Surface
The Cloud Composer issue isn’t the only cloud security concern making headlines recently. Several high-impact vulnerabilities have emerged across different cloud platforms:
1. Microsoft Azure SQL Server Flaw
Varonis Threat Labs disclosed a vulnerability affecting Azure SQL Servers. The Destructive Stored URL Parameter Injection allowed privileged users to manipulate firewall rule names via T-SQL, potentially leading to widespread data deletion. Microsoft patched the issue on April 9, 2025.
2. Microsoft Entra ID Bug
Datadog Security Labs reported a flaw in Microsoft Entra ID’s restricted administrative units. This bug enabled a privileged attacker to protect user accounts under their control, even from Global Administrators. The vulnerability was addressed by Microsoft on February 22, 2025.
3. AWS EC2 SSRF Exploits
Threat actors are increasingly targeting Amazon EC2 instances through Server-Side Request Forgery (SSRF). These exploits focus on extracting sensitive metadata, including IAM credentials, from EC2’s instance metadata service. According to F5 Labs, such data is highly valuable to attackers and can lead to further compromise.
Latest Posts
Adobe Photoshop’s Strengths and Weaknesses and Top Alternatives
Adobe Photoshop’s Strengths and Weaknesses and Top Alternatives Adobe Photoshop has long been the industry standard for digital design, but it has its pros and cons. Let’s explore what makes [...]
UI vs. UX: Understanding the Foundations of Effective Web Design
UI vs. UX: Understanding the Foundations of Effective Web Design UI and UX design are often mentioned together, but they refer to distinct aspects of web design. Let’s dive into [...]
Introduction to AWS Cloud: Benefits and Core Services
Introduction to AWS Cloud: Benefits and Core Services Amazon Web Services (AWS) has become a leader in cloud computing, offering scalable, secure, and reliable solutions for businesses of all sizes. [...]
Understanding Data Modeling and Analytics: The Cornerstones of Data Science
Understanding Data Modeling and Analytics: The Cornerstones of Data Science Data modeling and analytics are critical in transforming data into actionable insights. Let’s explore what these processes involve, how they [...]
Data Engineering Explained: Processes, Tools, and Applications
Data Engineering Explained: Processes, Tools, and Applications In today’s data-driven world, data engineering plays a crucial role in transforming raw data into valuable insights. But what exactly is data engineering, [...]
Apple’s Latest Security Updates: What Makes Them Stand Out
Apple’s Latest Security Updates: What Makes Them Stand Out Apple has consistently focused on user privacy and security, setting a high standard with its devices and software. The latest updates [...]
