CVE-2026-24047
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
描述
### Impact The `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by: 1. **Symlink chains**: Creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory 2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. ### Patches This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. ### Workarounds - Run Backstage in a containerised environment with limited filesystem access - Restrict template creation to trusted users
如何修補 CVE-2026-24047
要修補 CVE-2026-24047,請將受影響套件升級到下列已修補版本。
- —升級至 0.1.17 或更新版本
CVE-2026-24047 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.1.17
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |