Description
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only.
Published: 2026-01-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read arbitrary host files via local TechDocs generation
Action: Patch
AI Analysis

Impact

A path traversal flaw in @backstage/plugin-techdocs-node allows an attacker who can supply documentation containing symbolic links to read any files on the host filesystem when the local generator is enabled. The extracted file contents are embedded into the generated HTML, making them accessible to any user who views the documentation, thereby exposing potentially confidential data. The vulnerability stems from missing sanitization of symlink paths and is classified as CWE-22.

Affected Systems

The vulnerability affects the Backstage framework, specifically the @backstage/plugin-techdocs-node component. Versions prior to 1.13.11 and 1.14.1 are vulnerable; the fix is included in those and later releases.

Risk and Exploitability

The CVSSv3 score is 5.3, indicating a moderate impact. The EPSS score is less than 1 %, suggesting low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. Exploitation requires Backstage to be configured with "techdocs.generator.runIn: local" and an attacker to be able to supply the documentation to be built, typically through access to the source repository. Once the generator processes untrusted docs, it follows symlinks and reads the target files, which are then returned in the generated site.

Generated by OpenCVE AI on April 18, 2026 at 01:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade '@backstage/plugin-techdocs-node' to version 1.13.11 or later, or to 1.14.1 or later if using that series
  • If an upgrade cannot be performed immediately, change the configuration to "techdocs.generator.runIn: docker" in app-config.yaml to enforce containerized generation
  • Restrict write access to TechDocs source repositories so that only trusted users can contribute documentation, preventing malicious symlinks from being introduced

Generated by OpenCVE AI on April 18, 2026 at 01:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w669-jj7h-88m9 @backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator
History

Thu, 19 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation backstage
CPEs cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation backstage

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage backstage
Vendors & Products Backstage
Backstage backstage

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 30 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only.
Title @backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Backstage Backstage
Linuxfoundation Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:29:27.963Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25152

cve-icon Vulnrichment

Updated: 2026-02-02T16:25:13.990Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T22:15:56.190

Modified: 2026-02-19T15:37:56.570

Link: CVE-2026-25152

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-30T21:51:22Z

Links: CVE-2026-25152 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses