CVE-2026-24047
📋 TL;DR
This vulnerability in Backstage's @backstage/backend-plugin-api allows attackers to bypass path traversal protections via symlink chains and dangling symlinks. It affects Backstage deployments using Scaffolder actions or other backend components that rely on the resolveSafeChildPath function. Attackers could potentially write files outside designated directories.
💻 Affected Systems
- Backstage
- @backstage/backend-plugin-api
- @backstage/cli-common
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file write leading to remote code execution, data exfiltration, or complete system compromise
Likely Case
Unauthorized file writes to sensitive locations, potentially enabling privilege escalation or data manipulation
If Mitigated
Limited impact with proper containerization and access controls, potentially only file writes within restricted scope
🎯 Exploit Status
Exploitation requires ability to create or modify templates that use Scaffolder actions, and knowledge of symlink manipulation techniques
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @backstage/backend-plugin-api version 0.1.17 or later
Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9
Restart Required: Yes
Instructions:
1. Update package.json to require @backstage/backend-plugin-api version 0.1.17 or later. 2. Run npm update or yarn upgrade. 3. Restart all Backstage services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Containerization with limited filesystem access
allRun Backstage in a container with restricted filesystem permissions and read-only mounts where possible
docker run -v /safe/path:/app:ro backstage-image
Restrict template creation
allLimit template creation and modification to trusted administrators only
🧯 If You Can't Patch
- Implement strict access controls on template creation and modification
- Deploy Backstage in containerized environments with minimal filesystem access and read-only volumes
🔍 How to Verify
Check if Vulnerable:
Check package.json for @backstage/backend-plugin-api version. If version is less than 0.1.17, the system is vulnerable.Check Version:
npm list @backstage/backend-plugin-api or check package.json directlyVerify Fix Applied:
Verify @backstage/backend-plugin-api version is 0.1.17 or higher in package.json and node_modules📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside expected directories
- Multiple symlink creation events in short timeframes
- Failed path validation warnings in Backstage logs
Network Indicators:
- Unusual template uploads or modifications from unexpected sources
SIEM Query:
source="backstage" AND ("symlink" OR "path traversal" OR "resolveSafeChildPath")