Platform
nodejs
Component
@backstage/backend-defaults
Fixed in
0.12.3
0.13.1
0.14.1
0.12.2
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability affecting the @backstage/backend-defaults component. This vulnerability allows attackers to bypass URL allowlists within Backstage, potentially granting access to internal resources. The issue is fixed in version 0.12.2 and was published on January 21, 2026.
The vulnerability lies within the FetchUrlReader component, responsible for fetching content from URLs. Due to automatic HTTP redirect handling, an attacker controlling a host listed in backend.reading.allow can craft malicious redirects. These redirects can point to internal or sensitive URLs that are not explicitly permitted by the allowlist, effectively circumventing the intended security control. While the vulnerability doesn't allow attackers to inject custom request headers, the ability to redirect requests to internal resources poses a significant risk. This could expose sensitive data, internal APIs, or even allow for reconnaissance of the internal network.
The vulnerability's exploitation probability is currently assessed as low. No public proof-of-concept (POC) code has been released. The vulnerability was published on January 21, 2026, and is not currently listed on KEV or EPSS. Organizations should prioritize patching to prevent potential exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to @backstage/backend-defaults version 0.12.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter URL validation and sanitization within your Backstage plugins. Review and restrict the hosts listed in backend.reading.allow to only those absolutely necessary. WAF rules can be configured to detect and block suspicious HTTP redirects originating from trusted hosts. Regularly audit your Backstage configuration and plugin dependencies to identify and address potential vulnerabilities.
Actualice el paquete `@backstage/backend-defaults` a la versión 0.12.2, 0.13.2, 0.14.1, 0.15.0 o superior. Como alternativa, restrinja `backend.reading.allow` a hosts de confianza que controle y que no realicen redirecciones, asegúrese de que los hosts permitidos no tengan vulnerabilidades de redirección abierta, y/o utilice controles a nivel de red para bloquear el acceso desde Backstage a endpoints internos sensibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability in the @backstage/backend-defaults component of Backstage. It allows attackers to bypass URL allowlists and access internal resources via HTTP redirects.
You are affected if you are using a version of @backstage/backend-defaults prior to 0.12.2 and have the FetchUrlReader component in use, especially if your backend.reading.allow configuration is not strictly controlled.
Upgrade to @backstage/backend-defaults version 0.12.2 or later. If immediate upgrade is not possible, implement stricter URL validation and restrict hosts in backend.reading.allow.
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-24048.
Refer to the official Backstage security advisories and release notes for details on CVE-2026-24048 and the corresponding fix: [https://backstage.io/docs/security](https://backstage.io/docs/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.