Plattform
nodejs
Komponente
@backstage/backend-defaults
Behoben in
0.12.3
0.13.1
0.14.1
0.12.2
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability affecting the @backstage/backend-defaults component. This vulnerability allows attackers to bypass URL allowlists within Backstage, potentially granting access to internal resources. The issue is fixed in version 0.12.2 and was published on January 21, 2026.
The vulnerability lies within the FetchUrlReader component, responsible for fetching content from URLs. Due to automatic HTTP redirect handling, an attacker controlling a host listed in backend.reading.allow can craft malicious redirects. These redirects can point to internal or sensitive URLs that are not explicitly permitted by the allowlist, effectively circumventing the intended security control. While the vulnerability doesn't allow attackers to inject custom request headers, the ability to redirect requests to internal resources poses a significant risk. This could expose sensitive data, internal APIs, or even allow for reconnaissance of the internal network.
The vulnerability's exploitation probability is currently assessed as low. No public proof-of-concept (POC) code has been released. The vulnerability was published on January 21, 2026, and is not currently listed on KEV or EPSS. Organizations should prioritize patching to prevent potential exploitation.
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to @backstage/backend-defaults version 0.12.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter URL validation and sanitization within your Backstage plugins. Review and restrict the hosts listed in backend.reading.allow to only those absolutely necessary. WAF rules can be configured to detect and block suspicious HTTP redirects originating from trusted hosts. Regularly audit your Backstage configuration and plugin dependencies to identify and address potential vulnerabilities.
Aktualisieren Sie das Paket `@backstage/backend-defaults` auf Version 0.12.2, 0.13.2, 0.14.1, 0.15.0 oder höher. Alternativ beschränken Sie `backend.reading.allow` auf vertrauenswürdige Hosts, die Sie kontrollieren und die keine Weiterleitungen ausführen, stellen Sie sicher, dass die erlaubten Hosts keine offenen Redirect-Schwachstellen haben und/oder verwenden Sie Netzwerk-Level-Kontrollen, um den Zugriff von Backstage auf sensible interne Endpunkte zu blockieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability in the @backstage/backend-defaults component of Backstage. It allows attackers to bypass URL allowlists and access internal resources via HTTP redirects.
You are affected if you are using a version of @backstage/backend-defaults prior to 0.12.2 and have the FetchUrlReader component in use, especially if your backend.reading.allow configuration is not strictly controlled.
Upgrade to @backstage/backend-defaults version 0.12.2 or later. If immediate upgrade is not possible, implement stricter URL validation and restrict hosts in backend.reading.allow.
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-24048.
Refer to the official Backstage security advisories and release notes for details on CVE-2026-24048 and the corresponding fix: [https://backstage.io/docs/security](https://backstage.io/docs/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.