Backstage Pass: Bypassing SSRF Protections via Redirect Hijacking
Jan 22, 2026·7 min read·3 visits
Executive Summary (TL;DR)
The Backstage backend checked the invite list at the front door but didn't watch where the guests went after they got in. By providing a URL hosted on an allowed domain (like GitHub) that returns a 302 redirect, an attacker could force the server to fetch internal resources (like AWS metadata or local services), completely bypassing the `backend.reading.allow` security controls.
A logic flaw in the Backstage `FetchUrlReader` component allowed attackers to bypass URL allowlists by utilizing HTTP redirects. While the initial URL was validated against the configuration, the underlying HTTP client followed 3xx redirects blindly, allowing access to internal network resources.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@backstage/backend-defaults Backstage | < 0.12.2 | 0.12.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-918 |
| Attack Vector | Network (Redirect Hijack) |
| CVSS | 3.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N) |
| Impact | Information Disclosure / Internal Network Access |
| Exploit Status | PoC Available |
| Patch Status | Available (0.12.2+) |
MITRE ATT&CK Mapping
The application does not validate the destination IP address of an HTTP redirect, allowing an attacker to force the application to send requests to an arbitrary destination.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.