Highbenjdlambert

**Name of the Vulnerable Software and Affected Versions** Backstage versions prior to 1.13.11 and versions prior to 1.14.1 **Description** Backstage’s `@backstage/plugin-techdocs-node` component, used for TechDocs, is susceptible to remote code execution. When TechDocs is configured to run locally (`runIn: local`), a malicious actor who can modify a repository’s `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server through the configuration of MkDocs hooks. The issue stems from the lack of restrictions on the configuration keys allowed in `mkdocs.yml`. The fix introduces an allowlist of supported MkDocs configuration keys, removing unsupported keys, including `hooks`, before running the generator. As a workaround, configuring TechDocs to run in a Docker container (`runIn: docker`) provides container isolation, though it does not fully mitigate the risk. Limiting access to modify `mkdocs.yml` files and implementing PR review requirements for changes to these files can also help detect malicious configurations. Using MkDocs versions prior to 1.4.0, such as 1.3.1, can also mitigate the issue, though it may limit access to newer MkDocs features. **Recommendations** Upgrade `@backstage/plugin-techdocs-node` to version 1.13.11 or 1.14.1. Configure TechDocs with `runIn: docker` instead of `runIn: local`. Limit access to modify `mkdocs.yml` files to trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files. Use MkDocs version 1.3.1 or earlier.