Backstage, Server-Side Request Forgery (SSRF), CVE-2025-32791 (Medium)

Listen to this Post

How the CVE Works

This SSRF vulnerability resides in the `@backstage/plugin-auth-backend` when the experimental feature `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true` . The feature fetches Client ID Metadata Documents (CIMD) from a user-supplied `client_id` hostname. While the initial request validates the hostname against private IP ranges to block internal network requests, the code fails to re-validate the destination after following HTTP redirects. An attacker could configure a `client_id` with a public hostname that redirects to an internal IP address (e.g., 192.168.1.1, 127.0.0.1). The initial validation passes because the public hostname resolves to a public IP, but after the redirect, the backend fetches from an internal server . The impact is limited because the attacker cannot read the response body, control request headers or methods, and this experimental flag is off by default. The vulnerability was patched in version 0.27.1 by disabling HTTP redirect following during the metadata fetch .

dailycve Form

Platform: Backstage Auth Plugin
Version: before 0.27.1
Vulnerability: SSRF via Redirects
Severity: Medium (CVSS 4.3)
Date: 2025-04-16

Prediction: Already Patched 0.27.1

What Undercode Say

Analytics

The vulnerability requires the experimental CIMD feature to be explicitly enabled, which significantly reduces the attack surface. Deployments using default configurations are not affected. Organizations that restrict `allowedClientIdPatterns` to trusted domains are also protected . The patch simply disables redirect following, indicating a low-complexity fix with minimal regression risk.

Bash/Codes

Check if vulnerable configuration is enabled:

Check if experimental CIMD feature is enabled in app-config.yaml
grep -A 2 "experimentalClientIdMetadataDocuments" app-config.yaml
If enabled, verify current plugin version
npm list @backstage/plugin-auth-backend
Upgrade to patched version
npm install @backstage/[email protected]

Example vulnerable configuration (app-config.yaml):

auth:
experimentalClientIdMetadataDocuments:
enabled: true Vulnerable if true and version < 0.27.1
allowedClientIdPatterns:
- "." Wildcard increases risk

Example exploit simulation (conceptual curl):

Attacker sets up redirect
Public endpoint -> http://evil.com/redirect -> http://169.254.169.254/latest/meta-data/
The backend fetches evil.com, follows redirect to internal metadata service

How Exploit

1. Attacker identifies Backstage instance with `experimentalClientIdMetadataDocuments.enabled: true`

  1. Attacker sets up a public server that responds with HTTP 302 redirect to an internal IP (e.g., 192.168.1.1:8080, 127.0.0.1:7000)
  2. Attacker crafts OAuth client_id pointing to their public server
  3. The auth backend validates the public hostname (passes private IP check)
  4. Backend follows redirect, sending request to internal service
  5. Attacker cannot see response body, but can trigger internal requests (potential blind SSRF)

Protection from this CVE

  • Patch: Upgrade to `@backstage/plugin-auth-backend` 0.27.1 or later
  • Disable Feature: Set `auth.experimentalClientIdMetadataDocuments.enabled: false` (default)
  • Restrict Patterns: Configure `allowedClientIdPatterns` to specific trusted domains instead of wildcard
  • Network Segmentation: Limit backend egress traffic to prevent internal network scanning
  • Monitor Logs: Watch for unexpected redirect chains in auth backend logs

Impact

CVSS Score: 4.3 (Medium)

Attack Vector: Network

Privileges Required: None

User Interaction: Required

Scope: Unchanged

Confidentiality Impact: Low (internal requests triggered, no body read)

Integrity Impact: None

Availability Impact: None

The practical impact is limited to blind SSRF probes against internal services. Attackers cannot exfiltrate data from internal responses, modify requests, or exploit the vulnerability without enabling an experimental flag. Organizations following default configurations are unaffected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top