CVE-2026-24048

LOW EPSS 10.0%
Published Jan 21, 20265mo ago · Modified Jun 17, 20262w ago
3.7 CVSS 3.1
Low
Find Similar
Published Jan 21, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.

CVSS Details

Base Score
3.7
Exploitability
2.2
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
10.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 3

VendorProductVersionRange
linuxfoundationbackstage\/backend_defaults* <0.12.2
linuxfoundationbackstage\/backend_defaults*≥0.13.0  –  ≤0.13.2
linuxfoundationbackstage\/backend_defaults*≥0.14.0  –  ≤0.14.1

References 2

  • github.com https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
    Patch
  • github.com https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
    Vendor Advisory

Remediation

  • github.com https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb
    Patch