@backstage/backend-defaults 0.14.0-next.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @backstage/backend-defaults package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Server-side Request Forgery (SSRF) @backstage/backend-defaults is a Backend defaults used by Backstage backend apps Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `FetchUrlReader` component that automatically follows HTTP redirects. An attacker can access internal or sensitive resources by controlling a host listed in `backend.reading.allow` and issuing HTTP redirects to URLs that are not on the allowlist, thereby bypassing security controls. How to fix Server-side Request Forgery (SSRF)? Upgrade `@backstage/backend-defaults` to version 0.12.2, 0.13.2, 0.14.1 or higher.	<0.12.2>=0.13.0-next.0 <0.13.2>=0.14.0-next.0 <0.14.1
H Symlink Attack @backstage/backend-defaults is a Backend defaults used by Backstage backend apps Affected versions of this package are vulnerable to Symlink Attack via multiple actions, including `debug:log`, `fs:delete`, and archive extraction. A user who create and execute Scaffolder templates can read, delete, or write arbitrary files outside the intended workspace. How to fix Symlink Attack? Upgrade `@backstage/backend-defaults` to version 0.12.2, 0.13.2, 0.14.1 or higher.	<0.12.2>=0.13.0-next.0 <0.13.2>=0.14.0-next.0 <0.14.1

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@backstage/backend-defaults is a Backend defaults used by Backstage backend apps

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the FetchUrlReader component that automatically follows HTTP redirects. An attacker can access internal or sensitive resources by controlling a host listed in backend.reading.allow and issuing HTTP redirects to URLs that are not on the allowlist, thereby bypassing security controls.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @backstage/backend-defaults to version 0.12.2, 0.13.2, 0.14.1 or higher.

<0.12.2>=0.13.0-next.0 <0.13.2>=0.14.0-next.0 <0.14.1

Symlink Attack

@backstage/backend-defaults is a Backend defaults used by Backstage backend apps

Affected versions of this package are vulnerable to Symlink Attack via multiple actions, including debug:log, fs:delete, and archive extraction. A user who create and execute Scaffolder templates can read, delete, or write arbitrary files outside the intended workspace.

How to fix Symlink Attack?

Upgrade @backstage/backend-defaults to version 0.12.2, 0.13.2, 0.14.1 or higher.

<0.12.2>=0.13.0-next.0 <0.13.2>=0.14.0-next.0 <0.14.1

@backstage/backend-defaults@0.14.0-next.1 vulnerabilities

Backend defaults used by Backstage backend apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically