Backstage FetchUrlReader Component Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Backstage framework, specifically within the FetchUrlReader component of the @backstage/backend-defaults package, in versions prior to 0.12.2, 0.13.0 through 0.13.2, 0.14.0 through 0.14.1, and 0.15.0. This vulnerability allows an attacker controlling a host in the backend.reading.allow list to redirect requests to internal or sensitive URLs not on the allowlist, bypassing URL allowlist security. While the vulnerability could access internal resources, it does not permit the inclusion of additional request headers.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal resources, bypassing established URL allowlist security controls.

Reproduction

The vulnerability can be reproduced by configuring the backend.reading.allow setting to include a host that the attacker controls. When FetchUrlReader is used to read from a URL that is redirected, the request can be sent to an internal or sensitive URL that is not on the allowlist, effectively bypassing the allowlist restrictions.

Remediation

Users can upgrade to @backstage/backend-defaults versions 0.12.2, 0.13.2, 0.14.1, or 0.15.0, where this vulnerability is fixed. Additionally, it's recommended to restrict the backend.reading.allow setting to only trusted hosts that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and use network-level controls to block access from Backstage to sensitive internal endpoints.