-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from how entity metadata was used to construct file paths. The staticEntityPathJoin function was responsible for building storage paths using entity fields (namespace, kind, name). Before the patch, it used simple path.join() without proper sanitization, making it vulnerable to directory traversal if any entity field contained '..'. The commit fixes this by using resolveSafeChildPath and adding validation, while the tests demonstrate rejection of entities with '..' patterns. This function was the core path construction mechanism that lacked proper traversal protection.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @backstage/plugin-techdocs-node | npm | < 1.1.2 | 1.1.2 |
| @backstage/techdocs-common | npm | < 0.11.16 | 0.11.16 |
JavaScriptJavaScriptOngoing coverage of React2Shell