GHSA-2p49-45hj-7mc9: @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2026-24047

@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

Moderate severity GitHub Reviewed Published Jan 21, 2026 in backstage/backstage • Updated Jan 21, 2026

Package

npm @backstage/cli-common (npm)

Affected versions

<= 0.1.16

Impact

The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

1. Symlink chains: Creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory
2. Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.

Patches

This vulnerability is fixed in @backstage/backend-plugin-api version 0.1.17. Users should upgrade to this version or later.

Workarounds

• Run Backstage in a containerised environment with limited filesystem access
• Restrict template creation to trusted users

References

• GHSA-2p49-45hj-7mc9
• backstage/backstage@ae4dd5d

Published to the GitHub Advisory Database

Jan 21, 2026

Last updated

Jan 21, 2026