fix(deps): update dependency @backstage/plugin-scaffolder-backend [security]

[backstage-goalie]

This PR contains the following updates:

Package	Change	Age	Confidence
@backstage/plugin-scaffolder-backend (source)	3.1.0 → 3.1.1
@backstage/plugin-scaffolder-backend (source)	2.2.1 → 2.2.2
@backstage/plugin-scaffolder-backend (source)	3.0.1 → 3.1.1
@backstage/plugin-scaffolder-backend (source)	^3.0.1 → ^3.1.1
@backstage/plugin-scaffolder-backend (source)	3.0.1 → 3.0.2
@backstage/plugin-scaffolder-backend (source)	3.0.0 → 3.1.1
@backstage/plugin-scaffolder-backend (source)	2.2.0 → 2.2.2

---

Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp

More information

Details

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

• @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
• @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
• @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds

• Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
• Restrict who can create and execute Scaffolder templates using the permissions framework
• Audit existing templates for symlink usage
• Run Backstage in a containerized environment with limited filesystem access

References

• CWE-59: Improper Link Resolution Before File Access
• OWASP Path Traversal

Severity

• CVSS Score: Unknown
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

References

• https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp
• https://nvd.nist.gov/vuln/detail/CVE-2026-24046
• https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d
• https://github.com/backstage/backstage

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v3.1.1

Compare Source

Patch Changes

• 5012852: Remove unused abort controller in debug:wait action
• c641c14: Wrap some of the action logic with resolveSafeChildPath and improve symlink handling when fetching remote and local files
• 27f9061: REwrite]
• 872eb91: Upgrade zod-to-json-schema to latest version
• Updated dependencies
  • @​backstage/backend-defaults@​0.15.0
  • @​backstage/backend-plugin-api@​1.6.1
  • @​backstage/plugin-scaffolder-node@​0.12.3
  • @​backstage/integration@​1.19.2
  • @​backstage/backend-openapi-utils@​0.6.5
  • @​backstage/plugin-scaffolder-backend-module-github@​0.9.4
  • @​backstage/plugin-auth-node@​0.6.11
  • @​backstage/plugin-scaffolder-backend-module-azure@​0.2.17
  • @​backstage/plugin-permission-common@​0.9.4
  • @​backstage/plugin-permission-node@​0.10.8
  • @​backstage/plugin-bitbucket-cloud-common@​0.3.6
  • @​backstage/plugin-catalog-backend-module-scaffolder-entity-model@​0.2.16
  • @​backstage/plugin-scaffolder-backend-module-bitbucket@​0.3.18
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-cloud@​0.3.1
  • @​backstage/plugin-scaffolder-backend-module-bitbucket-server@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gerrit@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gitea@​0.2.17
  • @​backstage/plugin-scaffolder-backend-module-gitlab@​0.11.1
  • @​backstage/plugin-scaffolder-common@​1.7.5

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
backend	workspaces/pingidentity/packages/backend	none	v0.0.2