Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1mOGo0LXA1Y3ItcDc3N84ABG2B

Moderate EPSS: 0.00033% (0.07996 Percentile) EPSS:
Permalink JSON

Permission policy information leakage in Backstage permission system

Affected Packages Affected Versions Fixed Versions
npm:@backstage/plugin-permission-backend < 0.6.0 0.6.0
4 Dependent packages
144 Dependent repositories
121,561 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 0.5.13, 0.5.14, 0.5.15, 0.5.16, 0.5.17, 0.5.18, 0.5.19, 0.5.20, 0.5.21, 0.5.22, 0.5.23, 0.5.24, 0.5.25, 0.5.26, 0.5.27, 0.5.28, 0.5.29, 0.5.30, 0.5.31, 0.5.32, 0.5.33, 0.5.34, 0.5.35, 0.5.36, 0.5.37, 0.5.38, 0.5.39, 0.5.40, 0.5.41, 0.5.42, 0.5.43, 0.5.44, 0.5.45, 0.5.46, 0.5.47, 0.5.48, 0.5.49, 0.5.50, 0.5.51, 0.5.52

All unaffected versions

Impact

A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permission policy installed in the permission backend. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact.

Patches

This issue has been resolved in version 0.6.0 of the permissions backend.

Workarounds

Administrators of the permission policies can ensure that they are crafted in such a way that conditional decisions do not contain any sensitive information.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

References:

Identifiers

GHSA-f8j4-p5cr-p777

CVE-2025-32791

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00033

EPSS Percentile: 0.07996

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/backstage/backstage

Date and time

Published

3 months ago

Updated

3 months ago

API

JSON