Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2p49-45hj-7mc9

Опубликовано: 21 янв. 2026
Источник: github
Github: Прошло ревью
CVSS3: 6.3

Описание

@backstage/cli-common has a possible resolveSafeChildPath Symlink Chain Bypass

Impact

The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

  1. Symlink chains: Creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory
  2. Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.

Patches

This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.

Workarounds

  • Run Backstage in a containerised environment with limited filesystem access
  • Restrict template creation to trusted users

Ссылки

Пакеты

Наименование

@backstage/cli-common

npm
Затронутые версииВерсия исправления

<= 0.1.16

0.1.17

EPSS

Процентиль: 3%
0.00017
Низкий

6.3 Medium

CVSS3

CVE ID

CVE-2026-24047

Дефекты

CWE-59
CWE-61

Связанные уязвимости

nvd логотип

CVE-2026-24047

CVSS3: 6.3
nvd
17 дней назад

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or l

EPSS

Процентиль: 3%
0.00017
Низкий

6.3 Medium

CVSS3

CVE ID

CVE-2026-24047

Дефекты

CWE-59
CWE-61