GHSA-2P49-45HJ-7MC9

Vulnerability from github – Published: 2026-01-21 22:40 – Updated: 2026-01-22 15:41
VLAI?
Summary
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Details

Impact

The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

  1. Symlink chains: Creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory
  2. Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.

Patches

This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.

Workarounds

  • Run Backstage in a containerised environment with limited filesystem access
  • Restrict template creation to trusted users
Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/cli-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T22:40:51Z",
    "nvd_published_at": "2026-01-21T23:15:53Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:\n\n1. **Symlink chains**: Creating `link1 \u2192 link2 \u2192 /outside` where intermediate symlinks eventually resolve outside the allowed directory\n2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations\n\nThis function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.\n\n### Patches\n\nThis vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later.\n\n### Workarounds\n\n- Run Backstage in a containerised environment with limited filesystem access\n- Restrict template creation to trusted users",
  "id": "GHSA-2p49-45hj-7mc9",
  "modified": "2026-01-22T15:41:11Z",
  "published": "2026-01-21T22:40:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.