@backstage/plugin-catalog-backend Prototype Pollution vulnerability
Description
Published by the National Vulnerability Database
Sep 17, 2024
Published to the GitHub Advisory Database
Sep 17, 2024
Reviewed
Sep 17, 2024
Last updated
Nov 18, 2024
Impact
A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.
Patches
This has been fixed in the
1.26.0
release of the@backstage/plugin-catalog-backend
package.References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README
References