CVE-2026-24048
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| backstage | backstage | < 0.12.2 | affected |
| backstage | backstage | >= 0.13.0, < 0.13.2 | affected |
| backstage | backstage | >= 0.14.0, < 0.14.1 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
- https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.