Description
Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.
Published: 2026-01-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal via Symlink Chain
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the resolveSafeChildPath utility used by the @backstage/backend-plugin-api. Before version 0.1.17 this function does not fully validate symlink chains or dangling symlinks, allowing an attacker to craft a chain of symbolic links that finally resolve to a path outside of the intended base directory. This bypass permits reading or writing arbitrary files on the host filesystem when paths processed by tools such as Scaffolder actions are resolved. The weakness is categorized as CWE‑59 (Improper Handling of Relative Pathname) and CWE‑61 (Improper Restriction of Operations within the File System). The direct impact is that a privileged or compromised user can gain file system access beyond the designated sandbox, potentially leading to data exfiltration or configuration manipulation.

Affected Systems

Backstage, an open‑source framework for developer portals, is affected. Specifically, the @backstage/cli-common package and the @backstage/backend-plugin-api component under the backstage:backstage vendor. Versions of @backstage/backend-plugin-api older than 0.1.17 contain the flaw. Users deploying Backstage before that release should review their installed package versions. No other product variants are presently documented in the CNA data.

Risk and Exploitability

The CVSS base score of 6.3 indicates a moderate severity. The EPSS score is less than 1 percent, reflecting a very low probability of exploitation under current threat data. The vulnerability is not listed in the CISA KEV catalog, and no known active exploits are publicly reported. Exploitation requires the attacker to supply a controlled symlink chain to the resolveSafeChildPath routine, which is generally limited to the context of template creation, file uploads, or local file handling by the Backstage backend. Therefore the attack surface is constrained to environments where an attacker can influence file system operations, such as an untrusted user with the ability to submit templates or an application running with elevated permissions. In absence of such an avenue, the risk remains low to moderate.

Generated by OpenCVE AI on April 18, 2026 at 04:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @backstage/backend-plugin-api package to version 0.1.17 or later, ensuring that resolveSafeChildPath contains the patch.
  • Restrict template creation and file manipulation interfaces to trusted users or roles, preventing untrusted users from providing symlink chains that target sensitive paths.
  • Deploy Backstage within a container or virtualized environment that limits filesystem access, restricting the backend's exposure to critical directories outside the application data folder.

Generated by OpenCVE AI on April 18, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2p49-45hj-7mc9 @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
History

Tue, 27 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage backstage
Vendors & Products Backstage
Backstage backstage

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users.
Title @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Weaknesses CWE-59
CWE-61
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Backstage Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:49:06.720Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24047

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:20.508Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T23:15:53.407

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24047

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-21T22:45:06Z

Links: CVE-2026-24047 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses