FKIE_CVE-2026-24047

Vulnerability from fkie_nvd - Published: 2026-01-21 23:15 - Updated: 2026-04-15 00:35
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.
References
security-advisories@github.comhttps://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692
security-advisories@github.comhttps://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 \u2192 link2 \u2192 /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users."
    },
    {
      "lang": "es",
      "value": "Backstage es un framework abierto para construir portales de desarrollador, y @backstage/cli-common proporciona funcionalidad de carga de configuraci\u00f3n utilizada por el backend y la interfaz de l\u00ednea de comandos de Backstage. Antes de la versi\u00f3n 0.1.17, la funci\u00f3n de utilidad \u0027resolveSafeChildPath\u0027 en \u0027@backstage/backend-plugin-api\u0027, que se utiliza para prevenir ataques de salto de ruta, no validaba correctamente las cadenas de enlaces simb\u00f3licos y los enlaces simb\u00f3licos colgantes. Un atacante podr\u00eda eludir la validaci\u00f3n de ruta a trav\u00e9s de cadenas de enlaces simb\u00f3licos (creando \u0027link1 ? link2 ? /outside\u0027 donde los enlaces simb\u00f3licos intermedios finalmente se resuelven fuera del directorio permitido) y enlaces simb\u00f3licos colgantes (creando enlaces simb\u00f3licos que apuntan a rutas inexistentes fuera del directorio base, que luego se crear\u00edan durante las operaciones de archivo). Esta funci\u00f3n es utilizada por las acciones de Scaffolder y otros componentes de backend para asegurar que las operaciones de archivo permanezcan dentro de los directorios designados. Esta vulnerabilidad se corrige en \u0027@backstage/backend-plugin-api\u0027 versi\u00f3n 0.1.17. Los usuarios deben actualizar a esta versi\u00f3n o posterior. Hay disponibles algunas soluciones alternativas. Ejecute Backstage en un entorno en contenedores con acceso limitado al sistema de archivos y/o restrinja la creaci\u00f3n de plantillas a usuarios de confianza."
    }
  ],
  "id": "CVE-2026-24047",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T23:15:53.407",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        },
        {
          "lang": "en",
          "value": "CWE-61"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.