CVE-2026-24047

MEDIUM EPSS 34.4%
Published Jan 21, 20265mo ago · Modified Jun 17, 20262w ago
6.3 CVSS 3.1
Medium
Find Similar
Published Jan 21, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.

CVSS Details

Base Score
6.3
Exploitability
1.8
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
34.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-59
CWE-61

References 2

  • github.com https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692
  • github.com https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.