Description
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.
Published: 2026-01-30
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution on Documentation Build Server
Action: Patch Immediately
AI Analysis

Impact

The flaw is in @backstage/plugin‑techdocs‑node and allows a malicious actor who can edit a repository’s mkdocs.yml file to inject arbitrary Python code that is executed during the local build of TechDocs. This grants the attacker full control of the build server where documentation is generated and can lead to compromise of the host system. The weakness is a code injection flaw (CWE‑94).

Affected Systems

Backstage instances that use @backstage/plugin‑techdocs‑node before version 1.13.11 and before 1.14.1 are affected. These versions ship with the Backstage framework and are also used by the @techdocs/cli tool. Upgrading to version 1.13.11 or later, or to 1.14.1 or later, eliminates the vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.7 with an EPSS of less than 1%, and it is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to add or alter a mkdocs.yml file in a repository that TechDocs processes; if the build is run locally, the injected hooks code runs with the privileges of the build service. The risk is that an attacker who can modify repository content or influence pull requests can cause arbitrary code execution on the build server. Although running TechDocs in Docker mitigates process isolation, it does not fully eliminate the possibility of code injection. The risk is therefore significant for environments where local builds are performed and where repository write access is not tightly controlled.

Generated by OpenCVE AI on April 18, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @backstage/plugin‑techdocs‑node to 1.13.11 or later (or 1.14.1 or later) and ensure @techdocs/cli uses the updated plugin.
  • Reconfigure TechDocs to run in Docker instead of local to isolate the build environment, noting that this does not fully mitigate the risk.
  • Restrict write permissions on mkdocs.yml files in source repositories, enforce pull‑request review requirements, and set up CI checks to reject unsupported hooks keys.
  • As a temporary measure, use a MkDocs version earlier than 1.4.0, which does not support hooks, to prevent injection.

Generated by OpenCVE AI on April 18, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6jr7-99pf-8vgf @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
History

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation backstage
CPEs cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation backstage

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Backstage
Backstage backstage
Vendors & Products Backstage
Backstage backstage

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 30 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.
Title @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Backstage Backstage
Linuxfoundation Backstage
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:29:34.938Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25153

cve-icon Vulnrichment

Updated: 2026-02-02T16:25:15.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T22:15:56.343

Modified: 2026-02-19T15:26:37.430

Link: CVE-2026-25153

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-30T21:31:58Z

Links: CVE-2026-25153 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses