Listen to this Post
How the CVE Works
This SSRF vulnerability resides in the `@backstage/plugin-auth-backend` when the experimental feature `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true` . The feature fetches Client ID Metadata Documents (CIMD) from a user-supplied `client_id` hostname. While the initial request validates the hostname against private IP ranges to block internal network requests, the code fails to re-validate the destination after following HTTP redirects. An attacker could configure a `client_id` with a public hostname that redirects to an internal IP address (e.g., 192.168.1.1, 127.0.0.1). The initial validation passes because the public hostname resolves to a public IP, but after the redirect, the backend fetches from an internal server . The impact is limited because the attacker cannot read the response body, control request headers or methods, and this experimental flag is off by default. The vulnerability was patched in version 0.27.1 by disabling HTTP redirect following during the metadata fetch .
dailycve Form
Platform: Backstage Auth Plugin
Version: before 0.27.1
Vulnerability: SSRF via Redirects
Severity: Medium (CVSS 4.3)
Date: 2025-04-16
Prediction: Already Patched 0.27.1
What Undercode Say
Analytics
The vulnerability requires the experimental CIMD feature to be explicitly enabled, which significantly reduces the attack surface. Deployments using default configurations are not affected. Organizations that restrict `allowedClientIdPatterns` to trusted domains are also protected . The patch simply disables redirect following, indicating a low-complexity fix with minimal regression risk.
Bash/Codes
Check if vulnerable configuration is enabled:
Check if experimental CIMD feature is enabled in app-config.yaml grep -A 2 "experimentalClientIdMetadataDocuments" app-config.yaml If enabled, verify current plugin version npm list @backstage/plugin-auth-backend Upgrade to patched version npm install @backstage/[email protected]
Example vulnerable configuration (app-config.yaml):
auth: experimentalClientIdMetadataDocuments: enabled: true Vulnerable if true and version < 0.27.1 allowedClientIdPatterns: - "." Wildcard increases risk
Example exploit simulation (conceptual curl):
Attacker sets up redirect Public endpoint -> http://evil.com/redirect -> http://169.254.169.254/latest/meta-data/ The backend fetches evil.com, follows redirect to internal metadata service
How Exploit
1. Attacker identifies Backstage instance with `experimentalClientIdMetadataDocuments.enabled: true`
- Attacker sets up a public server that responds with HTTP 302 redirect to an internal IP (e.g., 192.168.1.1:8080, 127.0.0.1:7000)
- Attacker crafts OAuth client_id pointing to their public server
- The auth backend validates the public hostname (passes private IP check)
- Backend follows redirect, sending request to internal service
- Attacker cannot see response body, but can trigger internal requests (potential blind SSRF)
Protection from this CVE
- Patch: Upgrade to `@backstage/plugin-auth-backend` 0.27.1 or later
- Disable Feature: Set `auth.experimentalClientIdMetadataDocuments.enabled: false` (default)
- Restrict Patterns: Configure `allowedClientIdPatterns` to specific trusted domains instead of wildcard
- Network Segmentation: Limit backend egress traffic to prevent internal network scanning
- Monitor Logs: Watch for unexpected redirect chains in auth backend logs
Impact
CVSS Score: 4.3 (Medium)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: Low (internal requests triggered, no body read)
Integrity Impact: None
Availability Impact: None
The practical impact is limited to blind SSRF probes against internal services. Attackers cannot exfiltrate data from internal responses, modify requests, or exploit the vulnerability without enabling an experimental flag. Organizations following default configurations are unaffected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

