DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24048: Backstage Pass: Bypassing SSRF Protections via Redirect Hijacking

#security #cve #cybersecurity

Backstage Pass: Bypassing SSRF Protections via Redirect Hijacking

Vulnerability ID: CVE-2026-24048
CVSS Score: 3.5
Published: 2026-01-21

A logic flaw in the Backstage FetchUrlReader component allowed attackers to bypass URL allowlists by utilizing HTTP redirects. While the initial URL was validated against the configuration, the underlying HTTP client followed 3xx redirects blindly, allowing access to internal network resources.

TL;DR

The Backstage backend checked the invite list at the front door but didn't watch where the guests went after they got in. By providing a URL hosted on an allowed domain (like GitHub) that returns a 302 redirect, an attacker could force the server to fetch internal resources (like AWS metadata or local services), completely bypassing the backend.reading.allow security controls.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network (Redirect Hijack)
  • CVSS: 3.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)
  • Impact: Information Disclosure / Internal Network Access
  • Exploit Status: PoC Available
  • Patch Status: Available (0.12.2+)

Affected Systems

  • Backstage Backend
  • @backstage/backend-defaults package
  • Backstage Scaffolder Plugin
  • Backstage Catalog Plugin
  • @backstage/backend-defaults: < 0.12.2 (Fixed in: 0.12.2)

Code Analysis

Commit: 27f9061

Fix SSRF by implementing manual redirect handling in FetchUrlReader

fetch(url, { redirect: 'manual' })
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Concept of using 302 redirects on allowed hosts to bypass UrlReader validation.

Mitigation Strategies

  • Upgrade @backstage/backend-defaults to a patched version immediately.
  • Implement network-level egress filtering to block access to internal IP ranges (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12).
  • Block access to cloud metadata services (169.254.169.254) from application containers.

Remediation Steps:

  1. Check your package.json for @backstage/backend-defaults.
  2. Update the version to ^0.12.2, ^0.13.2, ^0.14.1, or ^0.15.0.
  3. Run yarn install or npm install to apply changes.
  4. Restart the Backstage backend service.

References

Read the full report for CVE-2026-24048 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)