Advisories for Npm/@Backstage/Plugin-Scaffolder-Node package

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to: Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets) Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace Write files outside the workspace via archive extraction …

A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these tokens, unauthorized access to sensitive resources in git can be achieved. The impact is considered medium severity as the Backstage Threat Model recommends restricting access to adding and editing templates …