CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-24048

Backstage Pass: Bypassing SSRF Filters via Open Redirects

Alon Barad
Alon Barad
Software Engineer

Feb 15, 2026·5 min read·27 visits

Executive Summary (TL;DR)

Backstage checked your ID at the door but didn't watch where you went inside. By exploiting the default redirect behavior of the `fetch` API, attackers could trick the backend into accessing restricted internal resources if they could chain a request through an allowed host with an open redirect.

A logic flaw in the Backstage `FetchUrlReader` component allowed Server-Side Request Forgery (SSRF) bypass via HTTP redirects. While the initial URL was validated against a security allowlist, the fetch implementation automatically followed redirects to unvalidated destinations, potentially exposing internal services or cloud metadata.

The Hook: The Butler Who Knew Too Much

Backstage has become the darling of platform engineering—a unified portal where developers can find everything from API docs to service catalogs. To make this magic happen, Backstage needs to be a bit of a librarian. It reaches out to GitHub, GitLab, S3 buckets, and generic URLs to fetch catalog-info.yaml files and documentation. This heavy lifting is handled by a component in @backstage/backend-defaults called the FetchUrlReader.

Here’s the catch: when you give a server the power to fetch arbitrary URLs, you are handing it a loaded gun pointed at your internal network. To prevent developers from accidentally (or maliciously) fetching http://169.254.169.254/latest/meta-data/iam/security-credentials/ and stealing your AWS keys, Backstage implements a config called backend.reading.allow. It's essentially a bouncer list. You tell it: "Only talk to github.com and internal-docs.com."

But in CVE-2026-24048, we found out that the bouncer was only checking IDs at the front door. Once the request was inside, it could sneak out the back window to anywhere it pleased.

The Flaw: A Game of 'Follow the Leader'

The vulnerability stems from a classic developer oversight: trusting the default behavior of high-level APIs. The FetchUrlReader utilized a standard fetch implementation (specifically node-fetch or similar polyfills in the Node environment). By default, when fetch receives a 3xx HTTP redirect status code (like 301 Moved Permanently or 302 Found), it automatically follows the Location header to the new URL.

In the vulnerable versions of Backstage, the code looked something like this:

  1. Check: Is user_provided_url in the allow list? Yes? Proceed.
  2. Fetch: Execute fetch(user_provided_url).
  3. Redirect: The server at user_provided_url says "Go to evil_internal_url".
  4. Follow: The fetch client says "Okay!" and requests evil_internal_url.

The security check happened only at step 1. The automatic redirect at step 4 completely bypassed the allowlist validation. It's a classic Time-of-Check to Time-of-Use (TOCTOU) logic failure, applied to network hops.

The Code: Trust vs. Verify

Let's look at the smoking gun. The fix involved ripping out the automatic redirect handling and replacing it with a manual loop that treats every hop as a potential threat.

The Vulnerable Logic (Conceptual):

// Blindly trusts the fetch client to handle redirects
const response = await fetch(url, {
  // defaults follow redirects
});

The Fix (Commit 27f9061d...): In the patched version, the developers explicitly disabled automatic redirects and wrote a loop to validate the Location header of every 3xx response.

// The new, paranoid approach
const response = await fetch(url, {
    redirect: 'manual', // STOP! Don't move.
});
 
if (response.status === 301 || response.status === 302) {
    const location = response.headers.get('location');
    const newUrl = new URL(location, url);
 
    // The critical check that was missing:
    if (!isAllowed(newUrl)) {
        throw new Error(`Redirect to ${newUrl} is not allowed`);
    }
    // If allowed, loop and fetch the new URL...
}

This change shifts the security model from "Trust the chain" to "Zero Trust for every hop."

The Exploit: Pinball Wizard

So, why is this rated Low severity (CVSS 3.5)? Because pulling this off requires the stars to align. You can't just feed Backstage http://evil.com because the initial check will block it. You need a pivot point.

To exploit this, an attacker needs two things:

  1. A host that is already whitelisted in backend.reading.allow.
  2. A way to make that allowed host redirect to a target of the attacker's choosing (an Open Redirect vulnerability).

The Attack Chain: Let's assume the victim has allowed trusted-partner.com in their Backstage config. The attacker discovers that trusted-partner.com/login?next=... has an open redirect.

  1. Trigger: The attacker registers a catalog entity pointing to https://trusted-partner.com/login?next=http://169.254.169.254/latest/meta-data/.
  2. Validation: Backstage checks the URL. trusted-partner.com is on the list. Green light.
  3. The Pivot: Backstage requests the URL. The partner server responds: HTTP/1.1 302 Found -> Location: http://169.254.169.254/....
  4. The Loot: The unpatched FetchUrlReader blindly follows the redirect to the AWS metadata service. Backstage reads the credentials and displays them (or stores them) as if they were valid catalog data.

While the prerequisites are high, the impact in a cloud environment is catastrophic—total account compromise via metadata credentials.

The Fix: Manual Override

The mitigation is straightforward: upgrade @backstage/backend-defaults to a patched version (0.12.2, 0.13.2, 0.14.1, or 0.15.0+). The patched component now manually iterates through redirects (up to 5 hops), validating the destination URL against the config at every single step.

If you cannot upgrade immediately, your defense-in-depth strategy is Egress Filtering. Your Backstage backend shouldn't be able to talk to the metadata service (169.254.169.254) or sensitive internal subnets anyway. A simple firewall rule dropping outbound traffic to RFC1918 addresses (excluding necessary services) renders this exploit inert, regardless of the application vulnerability.

Official Patches

BackstageGitHub Security Advisory and Patch Details

Fix Analysis (1)

Technical Appendix

CVSS Score
3.5/ 10
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
EPSS Probability
0.03%
Top 92% most exploited

Affected Systems

Backstage BackendBackstage Catalog PluginBackstage Scaffolder Plugin

Affected Versions Detail

Product
Affected Versions
Fixed Version
@backstage/backend-defaults
Backstage
< 0.12.20.12.2
@backstage/backend-defaults
Backstage
>= 0.13.0, < 0.13.20.13.2
@backstage/backend-defaults
Backstage
>= 0.14.0, < 0.14.10.14.1
AttributeDetail
CWE IDCWE-918
Attack VectorNetwork
CVSS Score3.5 (Low)
EPSS Probability0.03%
Exploit MaturityNone (Theoretical)
PrerequisitesAllowed Host + Open Redirect

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1005Data from Local System
Collection
CWE-918
Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)

Vulnerability Timeline

Fix committed to Backstage repository
2026-01-20
Security Advisory and CVE published
2026-01-21

References & Sources

  • [1]GHSA-q2x5-4xjx-c6p9
  • [2]CWE-918: SSRF

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 16 hours ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
5 views•6 min read
•2 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
13 views•6 min read
•3 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
25 views•8 min read
•3 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
8 views•5 min read
•3 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
11 views•6 min read
•7 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
24 views•6 min read