Launch Week Day 1: Announcing Security Design Review
Start for Free
LOW 3.5 npm

Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`

GHSA-q2x5-4xjx-c6p9 · CVE-2026-24048

Published · Modified

Description

Impact

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

Patches

This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.

Workarounds

  • Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects
  • Ensure allowed hosts do not have open redirect vulnerabilities
  • Use network-level controls to block access from Backstage to sensitive internal endpoints

References

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes