GHSA-rq6q-wr2q-7pgp
HIGHBackstage has a Possible Symlink Path Traversal in Scaffolder Actions
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@backstage/backend-defaultsnpmDescription
Impact
Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:
- Read arbitrary files via the
debug:logaction by creating a symlink pointing to sensitive files (e.g.,/etc/passwd, configuration files, secrets) - Delete arbitrary files via the
fs:deleteaction by creating symlinks pointing outside the workspace - Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks
This affects any Backstage deployment where users can create or execute Scaffolder templates.
Patches
This vulnerability is fixed in the following package versions:
@backstage/backend-defaultsversion 0.12.2, 0.13.2, 0.14.1, 0.15.0@backstage/plugin-scaffolder-backendversion 2.2.2, 3.0.2, 3.1.1@backstage/plugin-scaffolder-nodeversion 0.11.2, 0.12.3
Users should upgrade to these versions or later.
Workarounds
- Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
- Restrict who can create and execute Scaffolder templates using the permissions framework
- Audit existing templates for symlink usage
- Run Backstage in a containerized environment with limited filesystem access
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @backstage/backend-defaults | all versions | 0.12.2 |
| 📦npm | @backstage/backend-defaults | ≥ 0.13.0&&< 0.13.2 | 0.13.2 |
| 📦npm | @backstage/backend-defaults | ≥ 0.14.0&&< 0.14.1 | 0.14.1 |
| 📦npm | @backstage/plugin-scaffolder-backend | all versions | 2.2.2 |
| 📦npm | @backstage/plugin-scaffolder-backend | ≥ 3.0.0&&< 3.0.2 | 3.0.2 |
| 📦npm | @backstage/plugin-scaffolder-backend | ≥ 3.1.0&&< 3.1.1 | 3.1.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @backstage/backend-defaults. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @backstage/backend-defaults to 0.12.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rq6q-wr2q-7pgp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-rq6q-wr2q-7pgp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-rq6q-wr2q-7pgp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-rq6q-wr2q-7pgp in your dependencies?
O3 detects GHSA-rq6q-wr2q-7pgp across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.