CVE-2024-45816: Directory Traversal in @backstage/plugin-techdocs-backend

The core impact of CVE-2024-45816 lies in its ability to bypass access controls within the TechDocs storage configuration. When using AWS S3 or GCS as the storage provider, an attacker can craft malicious requests to traverse the directory structure and access files outside of the intended TechDocs content. This could lead to the exposure of confidential data stored in the bucket, such as configuration files, API keys, or even other application data. The blast radius extends to any data stored in the S3/GCS bucket, regardless of its intended purpose, as the attacker effectively gains unrestricted read access. This vulnerability is particularly concerning because it can be exploited without authentication, making it a high-risk exposure for organizations relying on Backstage and its TechDocs plugin.

1. Reserved2024-09-09
2. Published2024-09-17
3. Modified2025-01-03
4. EPSS updated2026-04-02

The primary mitigation for CVE-2024-45816 is to immediately upgrade the @backstage/plugin-techdocs-backend package to version 1.10.13 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter access controls on the S3/GCS bucket. This includes limiting the permissions granted to the TechDocs service account and implementing bucket policies that restrict access to specific directories. While not a complete solution, these measures can reduce the potential impact of a successful exploit. Regularly review and audit the permissions granted to the TechDocs service account to ensure they adhere to the principle of least privilege. After upgrading, confirm the fix by attempting to access files outside the intended TechDocs directory via the TechDocs API; access should be denied.