Headline
GHSA-rq6q-wr2q-7pgp: Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Impact
Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:
- Read arbitrary files via the
debug:logaction by creating a symlink pointing to sensitive files (e.g.,/etc/passwd, configuration files, secrets) - Delete arbitrary files via the
fs:deleteaction by creating symlinks pointing outside the workspace - Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks
This affects any Backstage deployment where users can create or execute Scaffolder templates.
Patches
This vulnerability is fixed in the following package versions:
@backstage/backend-defaultsversion 0.12.2, 0.13.2, 0.14.1, 0.15.0@backstage/plugin-scaffolder-backendversion 2.2.2, 3.0.2, 3.1.1@backstage/plugin-scaffolder-nodeversion 0.11.2, 0.12.3
Users should upgrade to these versions or later.
Workarounds
- Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
- Restrict who can create and execute Scaffolder templates using the permissions framework
- Audit existing templates for symlink usage
- Run Backstage in a containerized environment with limited filesystem access
References
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-24046
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Package
npm @backstage/backend-defaults (npm)
Affected versions
< 0.12.2
>= 0.13.0, < 0.13.2
>= 0.14.0, < 0.14.1
Patched versions
0.12.2
0.13.2
0.14.1
npm @backstage/plugin-scaffolder-backend (npm)
< 2.2.2
>= 3.0.0, < 3.0.2
>= 3.1.0, < 3.1.1
npm @backstage/plugin-scaffolder-node (npm)
< 0.11.2
>= 0.12.0, < 0.12.3
Impact
Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:
- Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
- Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
- Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks
This affects any Backstage deployment where users can create or execute Scaffolder templates.
Patches
This vulnerability is fixed in the following package versions:
- @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
- @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
- @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3
Users should upgrade to these versions or later.
Workarounds
- Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
- Restrict who can create and execute Scaffolder templates using the permissions framework
- Audit existing templates for symlink usage
- Run Backstage in a containerized environment with limited filesystem access
References
- CWE-59: Improper Link Resolution Before File Access
- OWASP Path Traversal
References
- GHSA-rq6q-wr2q-7pgp
- backstage/backstage@c641c14
Published to the GitHub Advisory Database
Jan 21, 2026