Backstage OIDC Provider Redirect URI Allowlist Bypass Vulnerability

A redirect URI allowlist bypass vulnerability has been identified in the experimental OpenID Connect (OIDC) provider of Backstage's authentication backend plugin, specifically in versions prior to 0.27.1. This vulnerability affects instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents, and have configured allowedRedirectUriPatterns. An attacker can exploit this by crafting a redirect URI that bypasses the allowlist validation and directs to an attacker-controlled host. If a victim consents to the OAuth request, their authorization code is sent to the attacker, who can then exchange it for a valid access token. This exploitation requires victim interaction and the explicit activation of certain experimental features, which are not enabled by default.

Impact

Exploitation of this vulnerability allows for a redirect URI allowlist bypass, enabling an attacker to intercept authorization codes and exchange them for access tokens, potentially leading to unauthorized access.

Remediation

Users can upgrade to Backstage version 0.27.1 or later to address this vulnerability. If the experimental Dynamic Client Registration and Client ID Metadata Documents features are not needed, they should be disabled.