Plataforma
nodejs
Componente
@backstage/backend-defaults
Corrigido em
0.12.3
0.13.1
0.14.1
0.12.2
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability affecting the @backstage/backend-defaults component. This vulnerability allows attackers to bypass URL allowlists within Backstage, potentially granting access to internal resources. The issue is fixed in version 0.12.2 and was published on January 21, 2026.
The vulnerability lies within the FetchUrlReader component, responsible for fetching content from URLs. Due to automatic HTTP redirect handling, an attacker controlling a host listed in backend.reading.allow can craft malicious redirects. These redirects can point to internal or sensitive URLs that are not explicitly permitted by the allowlist, effectively circumventing the intended security control. While the vulnerability doesn't allow attackers to inject custom request headers, the ability to redirect requests to internal resources poses a significant risk. This could expose sensitive data, internal APIs, or even allow for reconnaissance of the internal network.
The vulnerability's exploitation probability is currently assessed as low. No public proof-of-concept (POC) code has been released. The vulnerability was published on January 21, 2026, and is not currently listed on KEV or EPSS. Organizations should prioritize patching to prevent potential exploitation.
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade to @backstage/backend-defaults version 0.12.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter URL validation and sanitization within your Backstage plugins. Review and restrict the hosts listed in backend.reading.allow to only those absolutely necessary. WAF rules can be configured to detect and block suspicious HTTP redirects originating from trusted hosts. Regularly audit your Backstage configuration and plugin dependencies to identify and address potential vulnerabilities.
Atualize o pacote `@backstage/backend-defaults` para a versão 0.12.2, 0.13.2, 0.14.1, 0.15.0 ou superior. Alternativamente, restrinja `backend.reading.allow` a hosts de confiança que você controla e que não realizem redirecionamentos, garanta que os hosts permitidos não tenham vulnerabilidades de redirecionamento aberto e/ou utilize controles em nível de rede para bloquear o acesso do Backstage a endpoints internos sensíveis.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability in the @backstage/backend-defaults component of Backstage. It allows attackers to bypass URL allowlists and access internal resources via HTTP redirects.
You are affected if you are using a version of @backstage/backend-defaults prior to 0.12.2 and have the FetchUrlReader component in use, especially if your backend.reading.allow configuration is not strictly controlled.
Upgrade to @backstage/backend-defaults version 0.12.2 or later. If immediate upgrade is not possible, implement stricter URL validation and restrict hosts in backend.reading.allow.
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-24048.
Refer to the official Backstage security advisories and release notes for details on CVE-2026-24048 and the corresponding fix: [https://backstage.io/docs/security](https://backstage.io/docs/security)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.