GHSA-f8j4-p5cr-p777: Permission policy information leakage in Backstage permission system

April 16, 2025

A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions returned by the permission policy installed in the permission backend. If the permission system is not in use or if the installed permission policy does not use conditional decisions, there is no impact.

References

github.com/advisories/GHSA-f8j4-p5cr-p777
github.com/backstage/backstage
github.com/backstage/backstage/security/advisories/GHSA-f8j4-p5cr-p777

Code Behaviors & Features

Detect and mitigate GHSA-f8j4-p5cr-p777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →