VYPR
High severityNVD Advisory· Published Feb 23, 2024· Updated Aug 1, 2024

`@backstage/backend-common` vulnerable to path traversal through symlinks

CVE-2024-26150

Description

@backstage/backend-common is a common functionality library for backends for Backstage, an open platform for building developer portals. In @backstage/backend-common prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in @backstage/backend-common versions 0.21.1, 0.20.2, and 0.19.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@backstage/backend-commonnpm
>= 0.21.0, < 0.21.10.21.1
@backstage/backend-commonnpm
< 0.19.100.19.10
@backstage/backend-commonnpm
>= 0.20.0, < 0.20.20.20.2

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.