Backstage is an open-source framework used to build developer portals, and its plugin-auth-backend module provides authentication capabilities including an experimental OpenID Connect (OIDC) provider. Prior to version 0.27.1, this OIDC provider contains a vulnerability classified as CWE-601 (Open Redirect) due to a redirect URI allowlist bypass. Specifically, when experimental features such as Dynamic Client Registration or Client ID Metadata Documents are enabled and configured with allowedRedirectUriPatterns, the validation logic for redirect URIs can be circumvented. An attacker can craft a redirect URI that appears valid against the allowlist patterns but ultimately resolves to a malicious domain under the attacker's control. When a victim user initiates an OAuth flow and consents to the authorization request, the authorization code is redirected to the attacker’s URI. The attacker can then exchange this code for a valid access token, compromising the victim’s session or access rights. This attack requires the victim’s interaction to approve the OAuth consent screen and the explicit enabling of experimental features, which are off by default. The vulnerability does not impact Backstage instances that do not enable these experimental features. No public exploits have been reported as of now. The issue was addressed and fixed in Backstage version 0.27.1 by correcting the redirect URI validation logic to properly enforce the allowlist and prevent bypasses.

The primary impact of this vulnerability is the potential theft of OAuth authorization codes, which can be exchanged for access tokens granting unauthorized access to protected resources. This compromises confidentiality by exposing sensitive tokens to attackers. Integrity impact is limited as the attacker cannot directly modify data but can impersonate the victim. Availability is not affected. The attack requires user interaction and enabling of experimental features, limiting the scope but still posing a significant risk for organizations using Backstage with these configurations. Organizations relying on Backstage for internal developer portals and authentication may face unauthorized access to internal services or cloud resources if exploited. The medium CVSS score reflects the moderate ease of exploitation combined with the high confidentiality impact. Since Backstage is used by many enterprises and cloud providers for developer tooling, the vulnerability could be leveraged in targeted attacks against software development environments, potentially leading to broader supply chain or internal network compromises.

Organizations should upgrade all Backstage instances to version 0.27.1 or later, where the vulnerability is fixed. If upgrading immediately is not feasible, administrators should disable the experimental Dynamic Client Registration and Client ID Metadata Documents features to prevent exposure. Review and tighten allowedRedirectUriPatterns configurations to ensure strict validation of redirect URIs. Implement monitoring and alerting on OAuth authorization flows for unusual redirect URIs or consent approvals. Educate users to be cautious when approving OAuth consent screens, especially if unexpected. Consider implementing additional OAuth security measures such as PKCE (Proof Key for Code Exchange) to reduce the risk of authorization code interception. Regularly audit and update Backstage plugins and dependencies to incorporate security patches promptly. Finally, conduct penetration testing focused on OAuth flows to detect any residual redirect or authorization code vulnerabilities.