CVE-2026-24046
HIGH7.1EPSS 0.02%Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
描述
### Impact Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to: 1. **Read arbitrary files** via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets) 2. **Delete arbitrary files** via the `fs:delete` action by creating symlinks pointing outside the workspace 3. **Write files outside the workspace** via archive extraction (tar/zip) containing malicious symlinks This affects any Backstage deployment where users can create or execute Scaffolder templates. ### Patches This vulnerability is fixed in the following package versions: - `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, 0.15.0 - `@backstage/plugin-scaffolder-backend` version 2.2.2, 3.0.2, 3.1.1 - `@backstage/plugin-scaffolder-node` version 0.11.2, 0.12.3 Users should upgrade to these versions or later. ### Workarounds - Follow the recommendation in the [Backstage Threat Model](https://backstage.io/docs/overview/threat-model#scaffolder) to limit access to creating and updating templates - Restrict who can create and execute Scaffolder templates using the permissions framework - Audit existing templates for symlink usage - Run Backstage in a containerized environment with limited filesystem access ### References - [CWE-59: Improper Link Resolution Before File Access](https://cwe.mitre.org/data/definitions/59.html) - [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
受影響套件(3)
- npm/@backstage/backend-defaultsfrom 0, < 0.12.2
- npm/@backstage/plugin-scaffolder-backendfrom 0, < 2.2.2
- npm/@backstage/plugin-scaffolder-nodefrom 0, < 0.11.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L |