DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24047: Backstage Pass: Breaking Out of the Sandbox with Symlinks

#security #cve #cybersecurity

Backstage Pass: Breaking Out of the Sandbox with Symlinks

Vulnerability ID: CVE-2026-24047
CVSS Score: 6.3
Published: 2026-01-21

A logic flaw in the Backstage framework's path resolution utility allowed attackers to bypass sandbox restrictions using symlinks to non-existent files. By exploiting how the system handled 'phantom' paths, malicious actors could escape the Scaffolder workspace and write files to arbitrary locations on the host filesystem.

TL;DR

CVE-2026-24047 is a path traversal vulnerability in Backstage's resolveSafeChildPath function. It arises from improper validation of symbolic links when the target file does not yet exist. Attackers can chain symlinks to escape the intended directory boundary, potentially leading to Remote Code Execution (RCE) by overwriting configuration files or injecting malicious scripts.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-59 (Link Following)
  • CVSS v3.1: 6.3 (Medium)
  • Attack Vector: Network (via Scaffolder Templates)
  • Impact: Arbitrary File Write / Potential RCE
  • Affected Component: resolveSafeChildPath
  • Fix Commit: ae4dd5d1572a4f639e1a466fd982656b50f8e692

Affected Systems

  • Backstage Scaffolder
  • Backstage Backend Plugins using resolveSafeChildPath
  • Node.js applications using @backstage/cli-common for path validation
  • @backstage/backend-plugin-api: < 0.1.17 (Fixed in: 0.1.17)
  • @backstage/cli-common: < patched version (Fixed in: Commit ae4dd5d)

Code Analysis

Commit: ae4dd5d

Fix resolveSafeChildPath logic to handle non-existent paths and dangling symlinks recursively

function resolveRealPath(path) { ... // Recursive fix implementation }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Exploitation involves creating a Scaffolder template that symlinks to a sensitive directory and writes a new file through that link.

Mitigation Strategies

  • Input Validation: Ensure recursive resolution of all path components, including non-existent ones.
  • Least Privilege: Run Backstage services as a low-privileged user with restricted write permissions.
  • Containerization: Use read-only filesystems for the application container, allowing writes only to specific tmp volumes.

Remediation Steps:

  1. Identify usage of @backstage/backend-plugin-api in your package.json.
  2. Update @backstage/backend-plugin-api to version 0.1.17 or higher.
  3. Update @backstage/cli-common if used directly.
  4. Restart the Backstage backend service.
  5. Verify the fix by attempting to register a template that uses symlinks (it should now fail).

References

Read the full report for CVE-2026-24047 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)