CVE-2026-24048
📋 TL;DR
This SSRF vulnerability in Backstage's FetchUrlReader component allows attackers who control allowed hosts to bypass URL allowlist restrictions via HTTP redirects. It enables access to internal resources that aren't on the allowlist, potentially exposing sensitive internal endpoints. All Backstage deployments using vulnerable versions of @backstage/backend-defaults are affected.
💻 Affected Systems
- Backstage
- @backstage/backend-defaults
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to sensitive internal systems, cloud metadata services, or internal APIs, potentially leading to data exfiltration or further lateral movement.
Likely Case
Limited access to internal resources that aren't properly firewalled, potentially exposing internal services or metadata.
If Mitigated
With proper network segmentation and allowlist restrictions, impact is limited to allowed hosts only.
🎯 Exploit Status
Exploitation requires control over a host in the allowlist and ability to set up redirects. No authentication bypass needed beyond controlling allowed host.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.12.2, 0.13.2, 0.14.1, or 0.15.0
Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9
Restart Required: Yes
Instructions:
1. Update @backstage/backend-defaults to version 0.12.2, 0.13.2, 0.14.1, or 0.15.0. 2. Update package.json dependencies. 3. Run npm install or yarn install. 4. Restart Backstage services.
🔧 Temporary Workarounds
Restrict allowlist to trusted hosts
allLimit backend.reading.allow to only hosts you fully control that don't issue redirects
Edit backstage configuration to update backend.reading.allow list
Network segmentation
allImplement network-level controls to block Backstage from accessing sensitive internal endpoints
Configure firewall rules to restrict Backstage network access
🧯 If You Can't Patch
- Audit and restrict backend.reading.allow list to only essential, trusted hosts
- Implement network segmentation and firewall rules to limit Backstage's access to internal resources
🔍 How to Verify
Check if Vulnerable:
Check package.json for @backstage/backend-defaults version. If version is below 0.12.2, 0.13.2, 0.14.1, or 0.15.0, system is vulnerable.Check Version:
npm list @backstage/backend-defaults or check package.jsonVerify Fix Applied:
Verify @backstage/backend-defaults version is 0.12.2, 0.13.2, 0.14.1, or 0.15.0 or higher in package.json and node_modules.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in Backstage logs
- Requests to unexpected internal IPs from Backstage
Network Indicators:
- HTTP redirect chains from allowed hosts to internal IPs
- Backstage making requests to internal services not on allowlist
SIEM Query:
source="backstage" AND (http.status=3* OR redirect OR "Location:")