The vulnerability resides in the @backstage/plugin-techdocs-node component of the Backstage framework, which is used to build developer portals. Prior to version 1.14.3, the component relied on an allowlist to filter dangerous MkDocs configuration keys. A gap in that allowlist allows an attacker to craft a specially crafted mkdocs.yml file that bypasses the security controls and results in arbitrary Python code execution. The flaw is aligned with multiple weaknesses, including untrusted file upload, unsafe configuration handling, and pointer manipulation, as reflected by CWE-, CWE-74, and CWE-791. If exploited, an attacker can run code with the privileges of the Backstage process, potentially gaining full system compromise and impacting confidentiality, integrity, and availability.

Organisations running Backstage versions older than 1.14.3 are affected. The vulnerability is specific to the @backstage/plugin-techdocs-node package, part of the Backstage GitHub project. No explicit sub-versions are listed beyond the fixed version 1.14.3, so any build using the plugin before this release is susceptible.

The CVSS base score of 7.7 indicates high severity. The EPSS score is reported as less than 1%, meaning the probability of exploitation is presently very low, but not zero. The vulnerability is not yet listed in CISA's KEV catalog. Exploitation requires an attacker to supply a malicious mkdocs.yml file—most likely via a configuration repository or a public documentation source—so the attack vector is likely local or web-based within the documentation build pipeline. Despite the low current exploitation likelihood, the impact is catastrophic, warranting urgent action.