Backstage SSRF Flaw: URL Redirects Expose Internal Systems

CVE Notify is flagging a critical Server-Side Request Forgery (SSRF) vulnerability impacting Backstage, an open framework for building developer portals. The issue lies within the FetchUrlReader component in versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 of @backstage/backend-defaults. This component, responsible for fetching content from URLs, automatically followed HTTP redirects. Attackers could exploit this by controlling a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, effectively bypassing security controls and potentially exposing internal resources.

This SSRF vulnerability, while not allowing attackers to inject custom request headers, represents a significant risk for organizations using these vulnerable Backstage versions. The ability to pivot to internal endpoints via a seemingly trusted host is a classic SSRF playbook move. Thankfully, the Backstage team has addressed this in patched versions, so upgrading is the primary remediation.

CVE Notify points out that fixes are available in @backstage/backend-defaults versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, and later. Beyond upgrading, they suggest a few workarounds for those not yet patched: strictly limiting backend.reading.allow to only trusted, non-redirecting hosts you control, ensuring allowed hosts themselves don’t have open redirect vulnerabilities, and implementing network-level controls to block Backstage’s access to sensitive internal endpoints.