Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40backstage/cli-common@0.0.0-nightly-20231008021309
Typenpm
Namespace@backstage
Namecli-common
Version0.0.0-nightly-20231008021309
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.1.17
Latest_non_vulnerable_version0.1.17
Affected_by_vulnerabilities
0
url VCID-n7rj-2bnu-qqdg
vulnerability_id VCID-n7rj-2bnu-qqdg
summary 
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
The `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

1. **Symlink chains**: Creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory
2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24047.json
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24047.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24047
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07537
published_at 2026-06-09T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07588
published_at 2026-06-05T12:55:00Z
2
value 0.00025
scoring_system epss
scoring_elements 0.07598
published_at 2026-06-06T12:55:00Z
3
value 0.00025
scoring_system epss
scoring_elements 0.07576
published_at 2026-06-07T12:55:00Z
4
value 0.00025
scoring_system epss
scoring_elements 0.07528
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24047
2
reference_url https://github.com/backstage/backstage
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/backstage/backstage
3
reference_url https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:18Z/
url https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2431880
reference_id 2431880
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2431880
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24047
reference_id CVE-2026-24047
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24047
6
reference_url https://github.com/advisories/GHSA-2p49-45hj-7mc9
reference_id GHSA-2p49-45hj-7mc9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2p49-45hj-7mc9
7
reference_url https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9
reference_id GHSA-2p49-45hj-7mc9
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:18Z/
url https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9
fixed_packages
0
url pkg:npm/%40backstage/cli-common@0.1.17
purl pkg:npm/%40backstage/cli-common@0.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/cli-common@0.1.17
aliases CVE-2026-24047, GHSA-2p49-45hj-7mc9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n7rj-2bnu-qqdg
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/cli-common@0.0.0-nightly-20231008021309