CVE-2026-24047: @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass

January 21, 2026 (updated January 22, 2026)

The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by:

Symlink chains: Creating link1 → link2 → /outside where intermediate symlinks eventually resolve outside the allowed directory
Dangling symlinks: Creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations

This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-24047 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →