平台
nodejs
组件
@backstage/backend-defaults
修复版本
0.12.3
0.13.1
0.14.1
0.12.2
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability affecting the @backstage/backend-defaults component. This vulnerability allows attackers to bypass URL allowlists within Backstage, potentially granting access to internal resources. The issue is fixed in version 0.12.2 and was published on January 21, 2026.
The vulnerability lies within the FetchUrlReader component, responsible for fetching content from URLs. Due to automatic HTTP redirect handling, an attacker controlling a host listed in backend.reading.allow can craft malicious redirects. These redirects can point to internal or sensitive URLs that are not explicitly permitted by the allowlist, effectively circumventing the intended security control. While the vulnerability doesn't allow attackers to inject custom request headers, the ability to redirect requests to internal resources poses a significant risk. This could expose sensitive data, internal APIs, or even allow for reconnaissance of the internal network.
The vulnerability's exploitation probability is currently assessed as low. No public proof-of-concept (POC) code has been released. The vulnerability was published on January 21, 2026, and is not currently listed on KEV or EPSS. Organizations should prioritize patching to prevent potential exploitation.
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to @backstage/backend-defaults version 0.12.2 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter URL validation and sanitization within your Backstage plugins. Review and restrict the hosts listed in backend.reading.allow to only those absolutely necessary. WAF rules can be configured to detect and block suspicious HTTP redirects originating from trusted hosts. Regularly audit your Backstage configuration and plugin dependencies to identify and address potential vulnerabilities.
将 `@backstage/backend-defaults` 包升级到版本 0.12.2、0.13.2、0.14.1、0.15.0 或更高版本。或者,将 `backend.reading.allow` 限制为您信任和控制且不执行重定向的主机,确保允许的主机没有开放重定向漏洞,以及/或使用网络级控制来阻止 Backstage 访问敏感的内部端点。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-24048 is a Server-Side Request Forgery (SSRF) vulnerability in the @backstage/backend-defaults component of Backstage. It allows attackers to bypass URL allowlists and access internal resources via HTTP redirects.
You are affected if you are using a version of @backstage/backend-defaults prior to 0.12.2 and have the FetchUrlReader component in use, especially if your backend.reading.allow configuration is not strictly controlled.
Upgrade to @backstage/backend-defaults version 0.12.2 or later. If immediate upgrade is not possible, implement stricter URL validation and restrict hosts in backend.reading.allow.
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-24048.
Refer to the official Backstage security advisories and release notes for details on CVE-2026-24048 and the corresponding fix: [https://backstage.io/docs/security](https://backstage.io/docs/security)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。