Описание
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
Impact
A Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects.
The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.
Patches
Patched in @backstage/plugin-auth-backend version 0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.
Workarounds
Disable the experimental CIMD feature by removing or setting auth.experimentalClientIdMetadataDocuments.enabled to false in your app-config. This is the default configuration.
Alternatively, restrict allowedClientIdPatterns to specific trusted domains rather than using the default wildcard pattern.
References
Пакеты
@backstage/plugin-auth-backend
< 0.27.1
0.27.1
Связанные уязвимости
A server side request forgery flaw has been discovered in the npm @backstage/plugin-auth-backend package. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected. Patched in @backstage/plugin-auth-backend version 0.27.1.