CVE-2024-26150: 
JavaScript vulnerability analysis and mitigation

@backstage/backend-common, a common functionality library for backends for Backstage (an open platform for building developer portals), was found to have a path traversal vulnerability. The vulnerability affects versions prior to 0.21.1, 0.20.2, and 0.19.10, where path checks with the resolveSafeChildPath utility were not exhaustive enough, potentially allowing path traversal if symlinks could be injected by attackers. The issue was disclosed on February 23, 2024 (Vendor Advisory).

The vulnerability is identified as CVE-2024-26150 and has been assigned a CVSS v3.1 base score of 8.7 (High). The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The technical issue stems from insufficient path validation in the resolveSafeChildPath utility, which could allow attackers to traverse directories outside the intended scope through symlink manipulation (NVD).

The vulnerability could lead to unauthorized access to files outside the intended directory structure. According to the CVSS metrics, the vulnerability has high impact on both confidentiality and integrity, while availability remains unaffected. The attack requires high privileges but can be executed remotely with low attack complexity and without user interaction (Vendor Advisory).

The vulnerability has been patched in @backstage/backend-common versions 0.21.1, 0.20.2, and 0.19.10. Users are advised to upgrade to these patched versions to mitigate the risk (Vendor Advisory).