CVE-2024-45815

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-catalog-backend versions prior to 1.26.0

Description: A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed can interrupt the service using a specially crafted query to the catalog API. This issue is related to an uncontrolled modification of object prototype attributes, which can be exploited by a remote attacker to cause a denial of service by sending a specially crafted API request.

Recommendations: For versions prior to 1.26.0, upgrade to the 1.26.0 release of the @backstage/plugin-catalog-backend package to fix the issue. As a temporary workaround, consider restricting access to the catalog API to minimize the risk of exploitation. There are no known workarounds for this issue other than upgrading to the fixed version.