Backstage Experimental Client ID Metadata Document Feature Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Backstage authentication plugin backend, specifically in versions prior to 0.27.1. This vulnerability arises when the experimental Client ID Metadata Documents feature is enabled. The issue occurs because the metadata fetch process validates the initial client_id hostname against private IP ranges but fails to apply the same validation after HTTP redirects. As a result, an attacker could potentially redirect requests to internal hosts, bypassing the SSRF protections. However, the practical impact is limited, as the attacker cannot read the response body from the internal request, control request headers or methods, and the vulnerable feature must be explicitly enabled via an experimental flag that is off by default. Additionally, deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

Impact

Exploitation of this vulnerability could lead to Server-Side Request Forgery, allowing internal requests to be made to private IP addresses, potentially bypassing network security controls.

Reproduction

To reproduce this vulnerability, enable the experimental Client ID Metadata Documents feature in the Backstage authentication plugin backend configuration. Once the feature is enabled, the vulnerability can be triggered by sending a request that includes a client_id pointing to a URL that will redirect to an internal IP address. The metadata fetch will follow the redirect, bypassing the initial SSRF protections.

Remediation

Users can update to Backstage version 0.27.1 or later, where this vulnerability has been patched. Alternatively, the experimental CIMD feature can be disabled by setting 'auth.experimentalClientIdMetadataDocuments.enabled' to false in the app configuration. For deployments that require the feature, restricting 'allowedClientIdPatterns' to trusted domains can also mitigate the risk.