Skip to main content

Backstage

11 CVEs product

Monthly

CVE-2026-32236 npm LOW PATCH Monitor

A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)

SSRF Backstage
NVD GitHub
CVSS 4.0
1.7
EPSS
0.0%
CVE-2026-25153 npm HIGH PATCH This Week

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.

Python Node.js Docker Backstage Code Injection +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25152 npm MEDIUM PATCH This Month

Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.

Node.js Docker Path Traversal Backstage Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-46976 npm MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Backstage
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-45816 npm MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Backstage
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-45815 npm MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Backstage
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-6944 npm MEDIUM PATCH This Month

A flaw was found in the Red Hat Developer Hub (RHDH). Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Red Hat Gitlab Information Disclosure Red Hat Developer Hub Backstage
NVD
CVSS 3.1
5.7
EPSS
0.2%
CVE-2023-35926 npm CRITICAL PATCH Act Now

Backstage is an open platform for building developer portals. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Backstage
NVD GitHub
CVSS 3.1
9.9
EPSS
1.9%
CVE-2021-43783 npm HIGH PATCH This Week

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
CVSS 3.1
8.5
EPSS
1.2%
CVE-2021-41151 npm MEDIUM PATCH This Month

Backstage is an open platform for building developer portals. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
CVSS 3.1
4.9
EPSS
1.3%
CVE-2021-32662 npm MEDIUM PATCH This Month

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
EPSS 0% CVSS 1.7
LOW PATCH Monitor

A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)

SSRF Backstage
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.

Python Node.js Docker +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.

Node.js Docker Path Traversal +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Backstage
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Backstage
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Backstage
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

A flaw was found in the Red Hat Developer Hub (RHDH). Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Red Hat Gitlab Information Disclosure +2
NVD
EPSS 2% CVSS 9.9
CRITICAL PATCH Act Now

Backstage is an open platform for building developer portals. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Backstage
NVD GitHub
EPSS 1% CVSS 8.5
HIGH PATCH This Week

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

Backstage is an open platform for building developer portals. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy