Plateforme
nodejs
Composant
@backstage/integration
Corrigé dans
1.20.2
1.20.1
CVE-2026-29185 describes a path traversal vulnerability discovered in @backstage/integration, a component used for integrating with Source Code Management (SCM) systems within Backstage. This flaw allows attackers to potentially redirect API requests to unintended SCM provider endpoints using configured server-side integration credentials. The vulnerability impacts instances utilizing SCM integrations like GitHub and Bitbucket, particularly when user-provided SCM URLs are processed. A patch is available in version 1.20.1.
The core of this vulnerability lies in the way @backstage/integration parses SCM URLs. Attackers can craft malicious URLs containing path traversal sequences, encoded to bypass initial checks. When these URLs are processed by integration functions that build API URLs, the traversal segments can redirect requests to arbitrary SCM provider API endpoints. This redirection occurs using the server-side integration credentials configured within the Backstage instance, effectively allowing an attacker to impersonate the integration and potentially access sensitive data or perform actions on behalf of the system. The blast radius extends to any feature relying on user-provided SCM URLs, such as the scaffolder or other integration points.
CVE-2026-29185 was publicly disclosed on 2026-03-05. There is no indication of active exploitation or a KEV listing at the time of writing. No public proof-of-concept (POC) code has been released. The vulnerability's LOW CVSS score suggests a relatively low probability of exploitation, but the potential for credential compromise warrants prompt remediation.
Organizations using Backstage with SCM integrations, particularly those relying on user-provided SCM URLs for features like the scaffolder, are at risk. Shared hosting environments where multiple Backstage instances share credentials are also particularly vulnerable, as a compromise in one instance could potentially impact others.
• nodejs / server:
npm list @backstage/integration• nodejs / server:
grep -r 'scaffolder' ./src/• generic web:
Inspect Backstage integration configuration files for any unusual URL patterns or overly permissive settings.
• generic web:
Review access logs for requests containing encoded path traversal sequences (e.g., ..%2f).
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 2%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-29185 is to upgrade to @backstage/integration version 1.20.1 or later. This version includes fixes to properly sanitize and validate SCM URLs, preventing path traversal attempts. As a temporary workaround, carefully validate and sanitize all user-provided SCM URLs before they are processed by integration functions. Consider implementing stricter URL validation rules and restricting the allowed characters and protocols. While not a direct fix, reviewing and restricting the permissions granted to server-side integration credentials can limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to submit a crafted URL containing path traversal sequences and verifying that the request is properly blocked.
Actualice el paquete @backstage/integration a la versión 1.20.1 o superior. Esto solucionará la vulnerabilidad de path traversal en el análisis de URLs SCM. Ejecute el comando npm update @backstage/integration para actualizar a la versión corregida.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-29185 is a path traversal vulnerability in the @backstage/integration component, allowing attackers to redirect API requests using server-side credentials.
You are affected if you use @backstage/integration versions prior to 1.20.1 and utilize SCM integrations with user-provided URLs.
Upgrade to @backstage/integration version 1.20.1 or later to patch the vulnerability. Validate and sanitize user-provided URLs as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-29185.
Refer to the official Backstage security advisory for detailed information and updates: [https://backstage.io/security](https://backstage.io/security)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.