CVE-2026-25153

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 1.13.11 and versions prior to 1.14.1

Description Backstage’s @backstage/plugin-techdocs-node component, used for TechDocs, is susceptible to remote code execution. When TechDocs is configured to run locally (runIn: local), a malicious actor who can modify a repository’s mkdocs.yml file can execute arbitrary Python code on the TechDocs build server through the configuration of MkDocs hooks. The issue stems from the lack of restrictions on the configuration keys allowed in mkdocs.yml. The fix introduces an allowlist of supported MkDocs configuration keys, removing unsupported keys, including hooks, before running the generator. As a workaround, configuring TechDocs to run in a Docker container (runIn: docker) provides container isolation, though it does not fully mitigate the risk. Limiting access to modify mkdocs.yml files and implementing PR review requirements for changes to these files can also help detect malicious configurations. Using MkDocs versions prior to 1.4.0, such as 1.3.1, can also mitigate the issue, though it may limit access to newer MkDocs features.

Recommendations Upgrade @backstage/plugin-techdocs-node to version 1.13.11 or 1.14.1. Configure TechDocs with runIn: docker instead of runIn: local. Limit access to modify mkdocs.yml files to trusted contributors. Implement PR review requirements for changes to mkdocs.yml files. Use MkDocs version 1.3.1 or earlier.