Platform
nodejs
Component
@backstage/backend-defaults
Opgelost in
0.12.3
0.13.1
0.14.1
0.12.2
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability affecting the @backstage/backend-defaults component. This vulnerability allows attackers to bypass URL allowlists within Backstage, potentially granting access to internal resources. The issue is fixed in version 0.12.2 and was published on January 21, 2026.
The vulnerability lies within the FetchUrlReader component, responsible for fetching content from URLs. Due to automatic HTTP redirect handling, an attacker controlling a host listed in backend.reading.allow can craft malicious redirects. These redirects can point to internal or sensitive URLs that are not explicitly permitted by the allowlist, effectively circumventing the intended security control. While the vulnerability doesn't allow attackers to inject custom request headers, the ability to redirect requests to internal resources poses a significant risk. This could expose sensitive data, internal APIs, or even allow for reconnaissance of the internal network.
The vulnerability's exploitation probability is currently assessed as low. No public proof-of-concept (POC) code has been released. The vulnerability was published on January 21, 2026, and is not currently listed on KEV or EPSS. Organizations should prioritize patching to prevent potential exploitation.
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to @backstage/backend-defaults version 0.12.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter URL validation and sanitization within your Backstage plugins. Review and restrict the hosts listed in backend.reading.allow to only those absolutely necessary. WAF rules can be configured to detect and block suspicious HTTP redirects originating from trusted hosts. Regularly audit your Backstage configuration and plugin dependencies to identify and address potential vulnerabilities.
Actualiseer het `@backstage/backend-defaults` pakket naar versie 0.12.2, 0.13.2, 0.14.1, 0.15.0 of hoger. Als alternatief, beperk `backend.reading.allow` tot vertrouwde hosts die u controleert en die geen redirects uitvoeren, zorg ervoor dat de toegestane hosts geen open redirect kwetsbaarheden hebben, en/of gebruik netwerk-level controls om toegang van Backstage naar gevoelige interne endpoints te blokkeren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability in the @backstage/backend-defaults component of Backstage. It allows attackers to bypass URL allowlists and access internal resources via HTTP redirects.
You are affected if you are using a version of @backstage/backend-defaults prior to 0.12.2 and have the FetchUrlReader component in use, especially if your backend.reading.allow configuration is not strictly controlled.
Upgrade to @backstage/backend-defaults version 0.12.2 or later. If immediate upgrade is not possible, implement stricter URL validation and restrict hosts in backend.reading.allow.
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-24048.
Refer to the official Backstage security advisories and release notes for details on CVE-2026-24048 and the corresponding fix: [https://backstage.io/docs/security](https://backstage.io/docs/security)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.