CVE-2025-32791: 
JavaScript vulnerability analysis and mitigation

The Backstage Scaffolder plugin vulnerability (CVE-2025-32791) was discovered and disclosed on April 16, 2025. This security issue affects the Backstage permission plugin backend, specifically versions prior to 0.6.0. The vulnerability allows callers to extract information about conditional decisions returned by the permission policy installed in the permission backend (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and only impacts confidentiality at a low level. The weakness has been categorized as CWE-213 (Exposure of Sensitive Information Due to Incompatible Policies) (NVD, GitHub Advisory).

The vulnerability's impact is limited to scenarios where the permission system is in use and the installed permission policy utilizes conditional decisions. In such cases, attackers can potentially extract information about the conditional decisions returned by the permission policy. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact (GitHub Advisory).

The vulnerability has been patched in version 0.6.0 of the permissions backend. As a workaround, administrators of permission policies can ensure that conditional decisions do not contain any sensitive information. It is recommended to upgrade to the patched version to fully address the vulnerability (GitHub Advisory).