SCA: security update for @backstage/cli-common (GHSA-2p49-45hj-7mc9)

medium Tenable Cloud Security Plugin ID 436879

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Backstage is an open framework for building developer portals, and @backstage/cli-common provides config
loading functionality used by the backend and command line interface of Backstage. Prior to version
0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to
prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An
attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where
intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating
symlinks pointing to non-existent paths outside the base directory, which would later be created during
file operations). This function is used by Scaffolder actions and other backend components to ensure file
operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-
api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run
Backstage in a containerized environment with limited filesystem access and/or restrict template creation
to trusted users. (CVE-2026-24047)

See Also

https://github.com/advisories/GHSA-2p49-45hj-7mc9

Plugin Details

Severity: Medium

ID: 436879

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/22/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.27

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-24047

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/21/2026

Reference Information

CVE: CVE-2026-24047