Skip to content

fix(deps): update dependency @backstage/backend-defaults [security] #7348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
backstage-goalie wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @backstage/backend-defaults [security] #7348

backstage-goalie wants to merge 1 commit into from
+1,700 −1,052

Conversation

@backstage-goalie
Copy link
Contributor

@backstage-goalie backstage-goalie bot commented Jan 29, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@backstage/backend-defaults (source) 0.14.00.14.1 age confidence
@backstage/backend-defaults (source) ^0.11.1^0.12.0 age confidence
@backstage/backend-defaults (source) 0.13.10.13.2 age confidence
@backstage/backend-defaults (source) ^0.13.1^0.13.2 age confidence
@backstage/backend-defaults (source) 0.12.10.12.2 age confidence
@backstage/backend-defaults (source) ^0.11.0^0.12.0 age confidence
@backstage/backend-defaults (source) 0.13.00.13.2 age confidence

Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp

More information

Details

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

  1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
  2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
  3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

  • @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
  • @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
  • @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds
  • Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
  • Restrict who can create and execute Scaffolder templates using the permissions framework
  • Audit existing templates for symlink usage
  • Run Backstage in a containerized environment with limited filesystem access
References

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Backstage has a Possible SSRF when reading from allowed URL's in backend.reading.allow

CVE-2026-24048 / GHSA-q2x5-4xjx-c6p9

More information

Details

Impact

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

Patches

This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.

Workarounds
  • Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects
  • Ensure allowed hosts do not have open redirect vulnerabilities
  • Use network-level controls to block access from Backstage to sensitive internal endpoints
References

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/backend-defaults)

v0.14.1

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@backstage-goalie backstage-goalie bot added dependencies Pull requests that update a dependency file security labels Jan 29, 2026
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from e472783 to 3338b1f Compare January 29, 2026 16:57
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 3338b1f to 1089407 Compare January 29, 2026 16:58
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 1089407 to 292a8f2 Compare January 29, 2026 17:57
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 292a8f2 to 4637186 Compare January 29, 2026 17:59
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 4637186 to 8375455 Compare January 29, 2026 18:55
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 8375455 to a4f886d Compare January 29, 2026 18:56
@hopehadfield hopehadfield mentioned this pull request Jan 29, 2026
Open
1 task
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from a4f886d to cbd4100 Compare January 29, 2026 19:54
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from cbd4100 to 099a54b Compare January 29, 2026 19:54
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 099a54b to 0dec8e1 Compare January 29, 2026 20:51
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 0dec8e1 to fd3c055 Compare January 29, 2026 20:51
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from fd3c055 to 7300c16 Compare January 29, 2026 21:52
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 7300c16 to 4d1bb43 Compare January 29, 2026 21:52
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 4d1bb43 to 996a6ed Compare January 29, 2026 22:50
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 996a6ed to 67daf22 Compare January 29, 2026 22:50
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 67daf22 to ca9a61e Compare January 29, 2026 23:50
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from ca9a61e to 81ed3a2 Compare January 29, 2026 23:50
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 81ed3a2 to 2107539 Compare January 30, 2026 00:56
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 2107539 to eaae0ee Compare January 30, 2026 00:57
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from eaae0ee to aaca98d Compare January 30, 2026 02:19
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from aaca98d to b1bc938 Compare January 30, 2026 02:19
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from b1bc938 to d7b14d3 Compare January 30, 2026 03:41
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from d7b14d3 to 51b0d8e Compare January 30, 2026 03:41
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 51b0d8e to a8bd10a Compare January 30, 2026 04:29
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from a8bd10a to 42abe6f Compare January 30, 2026 04:30
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 42abe6f to 52cc376 Compare January 30, 2026 05:22
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 52cc376 to ac5a5e6 Compare January 30, 2026 05:23
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from ac5a5e6 to a77dc94 Compare January 30, 2026 06:04
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from a77dc94 to cab4a4c Compare January 30, 2026 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christoph-jerolimov christoph-jerolimov Awaiting requested review from christoph-jerolimov christoph-jerolimov is a code owner

@ciiay ciiay Awaiting requested review from ciiay ciiay is a code owner

@debsmita1 debsmita1 Awaiting requested review from debsmita1 debsmita1 is a code owner

@divyanshiGupta divyanshiGupta Awaiting requested review from divyanshiGupta divyanshiGupta is a code owner

@its-mitesh-kumar its-mitesh-kumar Awaiting requested review from its-mitesh-kumar its-mitesh-kumar is a code owner

@logonoff logonoff Awaiting requested review from logonoff logonoff is a code owner

@lokanandaprabhu lokanandaprabhu Awaiting requested review from lokanandaprabhu lokanandaprabhu is a code owner

@rohitkrai03 rohitkrai03 Awaiting requested review from rohitkrai03 rohitkrai03 is a code owner

@jrichter1 jrichter1 Awaiting requested review from jrichter1 jrichter1 is a code owner

@HusneShabbir HusneShabbir Awaiting requested review from HusneShabbir HusneShabbir is a code owner

@karthikjeeyar karthikjeeyar Awaiting requested review from karthikjeeyar karthikjeeyar is a code owner

@caugello caugello Awaiting requested review from caugello caugello is a code owner

@CryptoRodeo CryptoRodeo Awaiting requested review from CryptoRodeo CryptoRodeo is a code owner

@djanickova djanickova Awaiting requested review from djanickova djanickova is a code owner

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram Eswaraiahsapram is a code owner

@AndrienkoAleksandr AndrienkoAleksandr Awaiting requested review from AndrienkoAleksandr AndrienkoAleksandr is a code owner

@PatAKnight PatAKnight Awaiting requested review from PatAKnight PatAKnight is a code owner

@andrewthauer andrewthauer Awaiting requested review from andrewthauer andrewthauer is a code owner

@yashoswalyo yashoswalyo Awaiting requested review from yashoswalyo yashoswalyo is a code owner

@deshmukhmayur deshmukhmayur Awaiting requested review from deshmukhmayur deshmukhmayur is a code owner

@riginoommen riginoommen Awaiting requested review from riginoommen riginoommen is a code owner

@dzemanov dzemanov Awaiting requested review from dzemanov dzemanov is a code owner

@JessicaJHee JessicaJHee Awaiting requested review from JessicaJHee JessicaJHee is a code owner

@lholmquist lholmquist Awaiting requested review from lholmquist lholmquist is a code owner

@ibolton336 ibolton336 Awaiting requested review from ibolton336 ibolton336 is a code owner

@djzager djzager Awaiting requested review from djzager djzager is a code owner

@NormanWenzelWSS NormanWenzelWSS Awaiting requested review from NormanWenzelWSS NormanWenzelWSS is a code owner

@rupalvihol rupalvihol Awaiting requested review from rupalvihol rupalvihol is a code owner

@hetsaliya-crestdata hetsaliya-crestdata Awaiting requested review from hetsaliya-crestdata hetsaliya-crestdata is a code owner

@Lucifergene Lucifergene Awaiting requested review from Lucifergene Lucifergene is a code owner

@aljesusg aljesusg Awaiting requested review from aljesusg aljesusg is a code owner

@josunect josunect Awaiting requested review from josunect josunect is a code owner

@deepan10 deepan10 Awaiting requested review from deepan10 deepan10 is a code owner

@Sarabadu Sarabadu Awaiting requested review from Sarabadu Sarabadu is a code owner

@zuberc-cds zuberc-cds Awaiting requested review from zuberc-cds zuberc-cds is a code owner

@IgalKreich IgalKreich Awaiting requested review from IgalKreich IgalKreich is a code owner

@shaim-apiiro shaim-apiiro Awaiting requested review from shaim-apiiro shaim-apiiro is a code owner

@sachaudh sachaudh Awaiting requested review from sachaudh sachaudh is a code owner

@dvail dvail Awaiting requested review from dvail dvail is a code owner

@maknop maknop Awaiting requested review from maknop maknop is a code owner

@04kash 04kash Awaiting requested review from 04kash 04kash is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security workspace/acr workspace/acs workspace/apiiro workspace/argocd workspace/azure-sites workspace/blackduck workspace/feedback workspace/kafka workspace/keycloak workspace/kiali workspace/mcp-chat workspace/mend workspace/mta workspace/multi-source-security-viewer workspace/ocm workspace/pingidentity workspace/quay workspace/rbac workspace/report-portal workspace/rollbar workspace/servicenow workspace/tekton workspace/topology workspace/3scale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@backstage-service