Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-rq6q-wr2q-7pgp

Опубликовано: 21 янв. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.1

Описание

Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

  1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
  2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
  3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

  • @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
  • @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
  • @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds

  • Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
  • Restrict who can create and execute Scaffolder templates using the permissions framework
  • Audit existing templates for symlink usage
  • Run Backstage in a containerized environment with limited filesystem access

References

Ссылки

Пакеты

Наименование

@backstage/backend-defaults

npm
Затронутые версииВерсия исправления

< 0.12.2

0.12.2

Наименование

@backstage/backend-defaults

npm
Затронутые версииВерсия исправления

>= 0.13.0, < 0.13.2

0.13.2

Наименование

@backstage/backend-defaults

npm
Затронутые версииВерсия исправления

>= 0.14.0, < 0.14.1

0.14.1

Наименование

@backstage/plugin-scaffolder-backend

npm
Затронутые версииВерсия исправления

< 2.2.2

2.2.2

Наименование

@backstage/plugin-scaffolder-backend

npm
Затронутые версииВерсия исправления

>= 3.0.0, < 3.0.2

3.0.2

Наименование

@backstage/plugin-scaffolder-backend

npm
Затронутые версииВерсия исправления

>= 3.1.0, < 3.1.1

3.1.1

Наименование

@backstage/plugin-scaffolder-node

npm
Затронутые версииВерсия исправления

< 0.11.2

0.11.2

Наименование

@backstage/plugin-scaffolder-node

npm
Затронутые версииВерсия исправления

>= 0.12.0, < 0.12.3

0.12.3

EPSS

Процентиль: 4%
0.00018
Низкий

7.1 High

CVSS3

CVE ID

CVE-2026-24046

Дефекты

CWE-22
CWE-59

Связанные уязвимости

nvd логотип

CVE-2026-24046

CVSS3: 7.1
nvd
17 дней назад

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these

EPSS

Процентиль: 4%
0.00018
Низкий

7.1 High

CVSS3

CVE ID

CVE-2026-24046

Дефекты

CWE-22
CWE-59