CVE-2026-24048

EPSS 0.2%
Veröffentlicht 21.01.2026 22:51:44
Zuletzt bearbeitet 25.04.2026 18:01:55
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`

Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Backstage/backend Defaults SwPlatformnode.js Version < 0.12.2

Linuxfoundation ≫ Backstage/backend Defaults SwPlatformnode.js Version >= 0.13.0 <= 0.13.2

Linuxfoundation ≫ Backstage/backend Defaults SwPlatformnode.js Version >= 0.14.0 <= 0.14.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.099

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	3.5	1.8	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9

Vendor Advisory

https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-24048

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24048

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24048

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24048