Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40backstage/plugin-permission-backend@0.0.0-nightly-20220915030237

Type npm

Namespace @backstage

Name plugin-permission-backend

Version 0.0.0-nightly-20220915030237

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.6.0

Latest_non_vulnerable_version 0.6.0

Affected_by_vulnerabilities

url VCID-atrh-t5tq-sqaa

vulnerability_id VCID-atrh-t5tq-sqaa

summary The Backstage Scaffolder plugin houses types and utilities for building scaffolder-related modules. A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permission policy installed in the permission backend. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact. This issue has been patched in version 0.6.0 of the permissions backend. A workaround includes having administrators of the permission policies ensure that they are crafted in such a way that conditional decisions do not contain any sensitive information.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-32791

reference_id

reference_type

scores

value	0.00327
scoring_system	epss
scoring_elements	0.56181
published_at	2026-06-12T12:55:00Z

value	0.00327
scoring_system	epss
scoring_elements	0.56195
published_at	2026-06-13T12:55:00Z

value	0.00327
scoring_system	epss
scoring_elements	0.5606
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-32791

reference_url

https://github.com/backstage/backstage

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/backstage/backstage

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-32791

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-32791

reference_url	https://github.com/advisories/GHSA-f8j4-p5cr-p777
reference_id	GHSA-f8j4-p5cr-p777
reference_type
scores
url	https://github.com/advisories/GHSA-f8j4-p5cr-p777

reference_url

https://github.com/backstage/backstage/security/advisories/GHSA-f8j4-p5cr-p777

reference_id

GHSA-f8j4-p5cr-p777

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-17T13:11:00Z/

url

https://github.com/backstage/backstage/security/advisories/GHSA-f8j4-p5cr-p777

fixed_packages

url pkg:npm/%40backstage/plugin-permission-backend@0.1.0

purl pkg:npm/%40backstage/plugin-permission-backend@0.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-atrh-t5tq-sqaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-permission-backend@0.1.0

url	pkg:npm/%40backstage/plugin-permission-backend@0.6.0
purl	pkg:npm/%40backstage/plugin-permission-backend@0.6.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-permission-backend@0.6.0

aliases CVE-2025-32791, GHSA-f8j4-p5cr-p777

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-atrh-t5tq-sqaa

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/plugin-permission-backend@0.0.0-nightly-20220915030237

Package Instance