Skip to content

fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] - autoclosed#9749

Closed
backstage-goalie[bot] wants to merge 1 commit into
mainfrom
renovate/npm-backstage-backend-defaults-vulnerability
Closed

fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] - autoclosed#9749
backstage-goalie[bot] wants to merge 1 commit into
mainfrom
renovate/npm-backstage-backend-defaults-vulnerability

Conversation

@backstage-goalie

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@backstage/backend-defaults (source) ^0.11.1^0.12.0 age confidence
@backstage/backend-defaults (source) ^0.7.0^0.12.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Backstage has a Possible SSRF when reading from allowed URL's in backend.reading.allow

CVE-2026-24048 / GHSA-q2x5-4xjx-c6p9

More information

Details

Impact

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

Patches

This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.

Workarounds
  • Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects
  • Ensure allowed hosts do not have open redirect vulnerabilities
  • Use network-level controls to block access from Backstage to sensitive internal endpoints
References

Severity

  • CVSS Score: 3.5 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp

More information

Details

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

  1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
  2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
  3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

  • @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
  • @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
  • @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds
  • Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
  • Restrict who can create and execute Scaffolder templates using the permissions framework
  • Audit existing templates for symlink usage
  • Run Backstage in a containerized environment with limited filesystem access
References

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

backstage/backstage (@​backstage/backend-defaults)

v0.12.2

Compare Source

v0.12.1

Compare Source

Patch Changes

v0.12.0

Compare Source

Minor Changes
  • 133519b: feat: new cache manager Infinispan Data Grid
Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings July 3, 2026 18:34
@backstage-goalie backstage-goalie Bot added dependencies Pull requests that update a dependency file security labels Jul 3, 2026
@backstage-goalie backstage-goalie Bot added the dependencies Pull requests that update a dependency file label Jul 3, 2026
@backstage-goalie backstage-goalie Bot requested a review from Parsifal-M July 3, 2026 18:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-goalie

backstage-goalie Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage-community/plugin-feedback-backend workspaces/feedback/plugins/feedback-backend patch v2.1.7
@backstage-community/plugin-growthbook-backend workspaces/growthbook-flags/plugins/growthbook-backend patch v0.1.1
backend workspaces/report-portal/packages/backend none v0.0.7
@backstage-community/plugin-report-portal-backend workspaces/report-portal/plugins/report-portal-backend patch v1.1.2

@backstage-goalie backstage-goalie Bot changed the title fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] - autoclosed Jul 5, 2026
@backstage-goalie backstage-goalie Bot closed this Jul 5, 2026
@backstage-goalie backstage-goalie Bot deleted the renovate/npm-backstage-backend-defaults-vulnerability branch July 5, 2026 00:37
@backstage-goalie backstage-goalie Bot changed the title fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] - autoclosed fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] Jul 6, 2026
@backstage-goalie backstage-goalie Bot reopened this Jul 6, 2026
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch 2 times, most recently from 0e3782f to 211fcbf Compare July 6, 2026 11:38
Copilot AI review requested due to automatic review settings July 6, 2026 11:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch 2 times, most recently from 4eea895 to dfbcaa8 Compare July 6, 2026 11:39
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from dfbcaa8 to b83a619 Compare July 6, 2026 13:21
Copilot AI review requested due to automatic review settings July 6, 2026 13:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 10 changed files in this pull request and generated 8 comments.

},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"devDependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage-community/plugin-report-portal-backend": "workspace:^",
"@backstage-community/plugin-search-backend-module-report-portal": "workspace:^",
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"devDependencies": {
"@backstage/backend-defaults": "^0.7.0",
"@backstage/backend-defaults": "^0.12.0",
},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
'@backstage-community/plugin-report-portal-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-growthbook-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-feedback-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from c20adce to 0760b34 Compare July 6, 2026 17:08
Copilot AI review requested due to automatic review settings July 6, 2026 17:08
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 0760b34 to 009f1fe Compare July 6, 2026 17:08

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 10 changed files in this pull request and generated 9 comments.

},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"devDependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage-community/plugin-report-portal-backend": "workspace:^",
"@backstage-community/plugin-search-backend-module-report-portal": "workspace:^",
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"devDependencies": {
"@backstage/backend-defaults": "^0.7.0",
"@backstage/backend-defaults": "^0.12.0",
},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
'@backstage-community/plugin-report-portal-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-growthbook-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-feedback-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 009f1fe to 366777b Compare July 7, 2026 09:12
Copilot AI review requested due to automatic review settings July 7, 2026 09:12
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 366777b to 71de3ee Compare July 7, 2026 09:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 10 changed files in this pull request and generated 8 comments.

Comment on lines 35 to 37
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-plugin-api": "^1.4.1",
Comment on lines 46 to 48
"devDependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-test-utils": "^1.7.0",
Comment on lines 24 to 27
"@backstage-community/plugin-report-portal-backend": "workspace:^",
"@backstage-community/plugin-search-backend-module-report-portal": "workspace:^",
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/config": "^1.3.3",
'@backstage-community/plugin-report-portal-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
Comment on lines 37 to 39
"devDependencies": {
"@backstage/backend-defaults": "^0.7.0",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-test-utils": "^1.10.4",
'@backstage-community/plugin-growthbook-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
Comment on lines 39 to 41
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-dynamic-feature-service": "^0.7.2",
'@backstage-community/plugin-feedback-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 71de3ee to a93e5c8 Compare July 7, 2026 15:14
Copilot AI review requested due to automatic review settings July 7, 2026 15:41
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from a93e5c8 to f141383 Compare July 7, 2026 15:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 10 changed files in this pull request and generated 8 comments.

},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"devDependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage-community/plugin-report-portal-backend": "workspace:^",
"@backstage-community/plugin-search-backend-module-report-portal": "workspace:^",
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
},
"devDependencies": {
"@backstage/backend-defaults": "^0.7.0",
"@backstage/backend-defaults": "^0.12.0",
},
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
'@backstage-community/plugin-report-portal-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-growthbook-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-feedback-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from f141383 to 84acb62 Compare July 7, 2026 17:05
Copilot AI review requested due to automatic review settings July 7, 2026 17:14
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 84acb62 to 527a1e6 Compare July 7, 2026 17:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 10 changed files in this pull request and generated 8 comments.

Comment on lines 35 to 37
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-plugin-api": "^1.4.1",
Comment on lines 46 to 48
"devDependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-test-utils": "^1.7.0",
Comment on lines 24 to 27
"@backstage-community/plugin-report-portal-backend": "workspace:^",
"@backstage-community/plugin-search-backend-module-report-portal": "workspace:^",
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/config": "^1.3.3",
Comment on lines 37 to 39
"devDependencies": {
"@backstage/backend-defaults": "^0.7.0",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-test-utils": "^1.10.4",
Comment on lines 39 to 41
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-dynamic-feature-service": "^0.7.2",
'@backstage-community/plugin-report-portal-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-growthbook-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-feedback-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from 527a1e6 to d41a2b5 Compare July 7, 2026 20:42
…security]

Signed-off-by: Renovate Bot <bot@renovateapp.com>
Copilot AI review requested due to automatic review settings July 7, 2026 20:43
@backstage-service backstage-service force-pushed the renovate/npm-backstage-backend-defaults-vulnerability branch from d41a2b5 to 9d75fc5 Compare July 7, 2026 20:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 10 changed files in this pull request and generated 8 comments.

Comment on lines 35 to 37
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-plugin-api": "^1.4.1",
Comment on lines 46 to 48
"devDependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-test-utils": "^1.7.0",
Comment on lines 24 to 27
"@backstage-community/plugin-report-portal-backend": "workspace:^",
"@backstage-community/plugin-search-backend-module-report-portal": "workspace:^",
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/config": "^1.3.3",
Comment on lines 39 to 42
"dependencies": {
"@backstage/backend-defaults": "^0.11.1",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-dynamic-feature-service": "^0.7.2",
"@backstage/backend-plugin-api": "^1.4.1",
Comment on lines 37 to 40
"devDependencies": {
"@backstage/backend-defaults": "^0.7.0",
"@backstage/backend-defaults": "^0.12.0",
"@backstage/backend-test-utils": "^1.10.4",
"@backstage/cli": "^0.35.3",
'@backstage-community/plugin-report-portal-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-growthbook-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
'@backstage-community/plugin-feedback-backend': patch
---

Updated dependency `@backstage/backend-defaults` to `^0.12.0`.
@backstage-goalie backstage-goalie Bot changed the title fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] fix(deps): update dependency @backstage/backend-defaults to ^0.12.0 [security] - autoclosed Jul 8, 2026
@backstage-goalie backstage-goalie Bot closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants