GHSA-2p49-45hj-7mc9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2p49-45hj-7mc9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-2p49-45hj-7mc9/GHSA-2p49-45hj-7mc9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2p49-45hj-7mc9
- Aliases
- Published
- 2026-01-21T22:40:51Z
- Modified
- 2026-02-03T03:10:16.981108Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
- Details
-
Impact
The
resolveSafeChildPathutility function in@backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:- Symlink chains: Creating
link1 → link2 → /outsidewhere intermediate symlinks eventually resolve outside the allowed directory - Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations
This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.
Patches
This vulnerability is fixed in
@backstage/backend-plugin-apiversion 0.1.17. Users should upgrade to this version or later.Workarounds
- Run Backstage in a containerised environment with limited filesystem access
- Restrict template creation to trusted users
- Symlink chains: Creating
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-59", "CWE-61" ], "github_reviewed_at": "2026-01-21T22:40:51Z", "nvd_published_at": "2026-01-21T23:15:53Z" }- References
Affected packages
npm / @backstage/cli-common
Package
- Name
- @backstage/cli-common
- View open source insights on deps.dev
- Purl
- pkg:npm/%40backstage/cli-common