Date Mar 31, 2026

Meta Bug Bounty — One Last Spark AR RCE

This is the story of the final Remote Code Execution vulnerability discovered in Meta's now-discontinued Spark AR Studio — found by exploiting a malicious package.json hidden inside a seemingly benign .arexport project file. Meta rewarded a $2,625 bounty for this finding.

Spark AR RCE

Background & Methodology

Spark AR Studio allows creators to install packages from the AR Library — an online repository. Verified authors publish packages there, which means those packages are implicitly trusted by the platform. Rather than publish a malicious package directly (which requires verified author status), the researcher took a different approach: install a legitimate package, then inspect what gets bundled into the project file.

The Discovery: The "internal" Folder

After saving a Spark AR project with an installed AR Library package as an .arexport file, opening it with 7-Zip (since .arexport files are just ZIP archives) revealed a suspicious new directory called internal. Inside was a file named kitchensink.zip.

Opening kitchensink.zip revealed a package.json — a file that describes Node.js projects. Since Spark AR uses Node.js during project file loading, a crafted package.json could potentially trigger command execution.

Node.js Lifecycle Scripts

npm (Node Package Manager) supports Lifecycle Scripts in package.json. Scripts like postinstall and prepare execute automatically when a package is installed. Modifying the package.json inside kitchensink.zip to include these hooks was the key to the exploit:

{ "dependencies": { "postinstall": "*", "spark-entity-components": "0.1.1", "spark-procedural-animations": "0.9.4" }, "scripts": { "postinstall": "node myscript", "prepare": "node myscript" } }

Weaponizing the Package

With both postinstall and prepare scripts set to node myscript, the next step was to add a myscript.js file inside kitchensink.zip with arbitrary code — in this case, launching calc.exe to prove execution. The modified files were then repacked into the .arexport archive.

Exploit Walkthrough

  • Step 1: Install a legitimate AR Library package in Spark AR Studio and save the project as .arexport.
  • Step 2: Open the .arexport ZIP and navigate to internal/kitchensink.zip.
  • Step 3: Modify package.json inside kitchensink.zip to add postinstall and prepare lifecycle scripts.
  • Step 4: Add myscript.js with the desired payload to kitchensink.zip.
  • Step 5: Repack and distribute the .arexport file. When any victim opens it in Spark AR Studio — code executes.

Impact & Disclosure

Opening a malicious .arexport file in Spark AR Studio results in the execution of arbitrary code on the victim's machine with no user interaction beyond opening the file. This could be leveraged for full system compromise, credential theft, or ransomware delivery.

The vulnerability was reported to Meta's Facebook Bug Bounty program. Meta confirmed the issue and — noting it affected a discontinued product — applied a 1.05x multiplier to the base $2,500 bounty:

$2,625
Meta Bug Bounty Payout (1.05x multiplier)

Spark AR Studio has since been discontinued by Meta, closing this attack surface permanently.

Written by Fady Othman, Co-founder and Director of R&D at ZINAD.

Protect Your Development Pipeline

Supply chain attacks via crafted package files are a growing vector. ZINAD's security services include developer security training and application security assessments to help organizations identify and mitigate these risks.

https://ZINAD.net/support-page.html