fix(deps): update dependency @backstage/plugin-auth-backend to ^0.27.0#43
Open
mend-on-mend[bot] wants to merge 1 commit intomainfrom
Open
Conversation
Signed-off-by: mend-on-mend[bot] <mend-on-mend[bot]@users.noreply.github.com>
mend-on-mend
bot
requested review from
NormanWenzelWSS,
hetsaliya-crestdata and
rupalvihol
as code owners
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.25.2→^0.27.0^0.25.0→^0.27.0^0.25.3→^0.27.0^0.25.1→^0.27.0^0.24.4→^0.27.0@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass
CVE-2026-32235 / GHSA-wqvh-63mv-9w92
More information
Details
Impact
The experimental OIDC provider in
@backstage/plugin-auth-backendis vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configuredallowedRedirectUriPatternsare affected.A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token.
This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.
Patches
Upgrade to
@backstage/plugin-auth-backendversion 0.27.1 or later.Workarounds
Disable experimental Dynamic Client Registration and Client ID Metadata Documents features if they are not required.
References
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch
CVE-2026-32236 / GHSA-qp4c-xg64-7c6x
More information
Details
Impact
A Server-Side Request Forgery (SSRF) vulnerability exists in
@backstage/plugin-auth-backendwhenauth.experimentalClientIdMetadataDocuments.enabledis set totrue. The CIMDmetadata fetch validates the initial
client_idhostname against private IP ranges but does not apply the same validation after HTTP redirects.The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly
enabled via an experimental flag that is off by default. Deployments that restrict
allowedClientIdPatternsto specific trusted domains are not affected.Patches
Patched in
@backstage/plugin-auth-backendversion0.27.1. The fix disables HTTP redirect following when fetching CIMD metadata documents.Workarounds
Disable the experimental CIMD feature by removing or setting
auth.experimentalClientIdMetadataDocuments.enabledtofalsein your app-config. This is the default configuration.Alternatively, restrict
allowedClientIdPatternsto specific trusted domains rather than using the default wildcard pattern.References
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
backstage/backstage (@backstage/plugin-auth-backend)
v0.27.1Compare Source
Patch Changes
d0f4cd2: Added optional client metadata document endpoint at/.well-known/oauth-client/cli.jsonrelative to the auth backend base URL for CLI authentication. Enabled whenauth.experimentalClientIdMetadataDocuments.enabledis set totrue.v0.27.0Compare Source
Minor Changes
31de2c9: Added experimental support for Client ID Metadata Documents (CIMD).This allows Backstage to act as an OAuth 2.0 authorization server that supports the IETF Client ID Metadata Document draft. External OAuth clients can use HTTPS URLs as their
client_id, and Backstage will fetch metadata from those URLs to validate the client.Configuration example:
Clients using CIMD must host a JSON metadata document at their
client_idURL containing at minimum:{ "client_id": "https://example.com/.well-known/oauth-client/my-app", "client_name": "My Application", "redirect_uris": ["http://localhost:8080/callback"], "token_endpoint_auth_method": "none" }d0786b9: Added experimental support for refresh tokens via theauth.experimentalRefreshToken.enabledconfiguration option. When enabled, clients can request theoffline_accessscope to receive refresh tokens that can be used to obtain new access tokens without re-authentication.Patch Changes
7dc3dfe: Removed theauth.experimentalDynamicClientRegistration.tokenExpirationconfig option. DCR tokens now use the default 1 hour expiration.If you need longer-lived access, use refresh tokens via the
offline_accessscope instead. DCR clients should already have theoffline_accessscope available. Enable refresh tokens by setting:7455dae: Use node prefix on native importsUpdated dependencies
v0.26.0Compare Source
Minor Changes
7ffc873: Fixuser_created_atmigration causingSQLiteErrorregarding use of non-constants for defaultsPatch Changes
v0.25.7Compare Source
Patch Changes
de96a60: chore(deps): bumpexpressfrom 4.21.2 to 4.22.0v0.25.6Compare Source
Patch Changes
a9315d0: Change internalstatecolumn totextto support state of over 255 characters05f60e1: Refactored constructor parameter properties to explicit property declarations for compatibility with TypeScript'serasableSyntaxOnlysetting. This internal refactoring maintains all existing functionality while ensuring TypeScript compilation compatibility.51ff7d8: Allow configuring dynamic client registration token expiration with configauth.experimentalDynamicClientRegistration.tokenExpiration.Maximum expiration for the DCR token is 24 hours. Default expiration is 1 hour.
Updated dependencies
v0.25.5Compare Source
Patch Changes
v0.25.4Compare Source
Patch Changes
1d47bf3: Implementing Dynamic Client Registration with the OIDC server. You can enable this by settingauth.experimentalDynamicClientRegistration.enabledinapp-config.yaml. This is highly experimental, but feedback welcome.54ddfef: Updating plugin metadatav0.25.3Compare Source
Patch Changes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.