{"url":"http://public2.vulnerablecode.io/api/packages/948907?format=json","purl":"pkg:npm/%40backstage/cli-common@0.0.0-nightly-20251212024528","type":"npm","namespace":"@backstage","name":"cli-common","version":"0.0.0-nightly-20251212024528","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.1.17","latest_non_vulnerable_version":"0.1.17","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49791?format=json","vulnerability_id":"VCID-n7rj-2bnu-qqdg","summary":"@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass\nThe `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:\n\n1. **Symlink chains**: Creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory\n2. **Dangling symlinks**: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations\n\nThis function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24047.json","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24047.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24047","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07537","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07588","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07598","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07576","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07528","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24047"},{"reference_url":"https://github.com/backstage/backstage","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/backstage/backstage"},{"reference_url":"https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:18Z/"}],"url":"https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431880","reference_id":"2431880","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431880"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24047","reference_id":"CVE-2026-24047","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24047"},{"reference_url":"https://github.com/advisories/GHSA-2p49-45hj-7mc9","reference_id":"GHSA-2p49-45hj-7mc9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p49-45hj-7mc9"},{"reference_url":"https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9","reference_id":"GHSA-2p49-45hj-7mc9","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T15:09:18Z/"}],"url":"https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73536?format=json","purl":"pkg:npm/%40backstage/cli-common@0.1.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/cli-common@0.1.17"}],"aliases":["CVE-2026-24047","GHSA-2p49-45hj-7mc9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n7rj-2bnu-qqdg"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540backstage/cli-common@0.0.0-nightly-20251212024528"}