8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-26150

CVE-2024-26150: `@backstage/backend-common` vulnerable to path traversal through symlinks

Impact

Paths checks with the resolveSafeChildPath utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers.

Patches

Patched in @backstage/backend-common version 0.21.1. Patched in @backstage/backend-common version 0.20.2. Patched in @backstage/backend-common version 0.19.10.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-26150

CVE-2024-26150:

8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@backstage/backend-common	npm	= 0.21.0	0.21.1
@backstage/backend-common	npm	< 0.19.10	0.19.10
@backstage/backend-common	npm	>= 0.20.0, < 0.20.2	0.20.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how resolveSafeChildPath handled path resolution. The pre-patch version used resolveRealPath on both base and target but returned the symlink-following targetPath. The commit diff shows the fix changed the return value to avoid following symlinks (via resolvePath instead of realpath), and added tests for non-existent paths. The CWE-22 classification confirms this is a path traversal issue, and the advisory explicitly calls out resolveSafeChildPath as the vulnerable utility. The function's pre-patch behavior failed to properly compare the realpath of both base and target, enabling symlink-based escapes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-26150: `@backstage/backend-common` vulnerable to path traversal through symlinks

Impact

Patches

For more information

CVE-2024-26150:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-26150: `@backstage/backend-common` vulnerable to path traversal through symlinks

Impact

Patches

For more information

Basic Information

Basic Information

8.7

8.7

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI