Description
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
Published: 2026-01-21
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

The FetchUrlReader in @backstage/backend-defaults followed HTTP redirects automatically before certain releases, allowing an attacker controlling a host listed in backend.reading.allow to redirect to internal or sensitive URLs not on the allowlist. This bypasses the URL allowlist security control and results in a Server‑Side Request Forgery that can expose internal resources. The flaw does not allow injection of additional request headers.

Affected Systems

Backstage, the open framework for developer portals, and its backend-defaults component are affected. All versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 of @backstage/backend-defaults contain the vulnerability. Identified through the cpe mapping and vendor/product listing.

Risk and Exploitability

The vulnerability has a CVSS v3.1 score of 3.5, placing it in the low severity range. The EPSS indicates an exploitation probability of less than 1%, and the CVE is not listed in the CISA KEV catalog. The explicit lack of support for header manipulation suggests that the attack vector primarily relies on redirect loops from allowed hosts. Given these characteristics, the risk is considered low in environments where allowed hosts can be compromised or are not strictly controlled.

Generated by OpenCVE AI on April 18, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @backstage/backend-defaults to version 0.12.2, 0.13.2, 0.14.1, or 0.15.0 or later to fix the redirect issue.
  • Restrict backend.reading.allow to only trusted hosts that do not issue redirects or have no open redirect vulnerabilities.
  • Implement network‑level controls to block outbound requests from Backstage to sensitive internal endpoints, adding an extra layer of protection.

Generated by OpenCVE AI on April 18, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2x5-4xjx-c6p9 Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
History

Sat, 25 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation backstage\/backend Defaults
CPEs cpe:2.3:a:linuxfoundation:\@backstage\/backend_defaults:*:*:*:*:*:node.js:*:* cpe:2.3:a:linuxfoundation:backstage\/backend_defaults:*:*:*:*:*:node.js:*:*
Vendors & Products Linuxfoundation \@backstage\/backend Defaults
Linuxfoundation backstage\/backend Defaults

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation \@backstage\/backend Defaults
CPEs cpe:2.3:a:linuxfoundation:\@backstage\/backend_defaults:*:*:*:*:*:node.js:*:*
Vendors & Products Linuxfoundation
Linuxfoundation \@backstage\/backend Defaults

Tue, 27 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage backstage
Vendors & Products Backstage
Backstage backstage

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints.
Title Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Backstage Backstage
Linuxfoundation Backstage\/backend Defaults
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:48:55.954Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24048

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:14.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T23:15:53.580

Modified: 2026-04-25T18:01:55.150

Link: CVE-2026-24048

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-21T22:51:44Z

Links: CVE-2026-24048 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses