Platform
nodejs
Component
@backstage/plugin-techdocs-node
Opgelost in
1.13.12
1.14.1
1.13.12
1.14.2
1.14.1
CVE-2026-25153 is a remote code execution (RCE) vulnerability affecting @backstage/plugin-techdocs-node versions up to 1.14.0. This vulnerability allows a malicious actor to execute arbitrary Python code on the TechDocs build server if they can modify a repository's mkdocs.yml file when runIn: local is configured. The vulnerability is fixed in version 1.14.1 and later, and users are strongly advised to upgrade.
The primary impact of CVE-2026-25153 is the potential for remote code execution on the TechDocs build server. An attacker who can submit or modify a repository's mkdocs.yml file can inject malicious code through the MkDocs hooks configuration. This could lead to a complete compromise of the build server, allowing the attacker to steal sensitive data, install malware, or pivot to other systems within the network. The runIn: local configuration setting significantly increases the risk, as it allows the build process to execute code directly on the server rather than within a sandboxed environment. This vulnerability shares similarities with other MkDocs configuration vulnerabilities where improper sanitization of user-provided input leads to code execution.
CVE-2026-25153 was publicly disclosed on 2026-02-02. There is no indication of this vulnerability being actively exploited at the time of writing. The EPSS score is currently unavailable, but given the RCE nature and relatively recent disclosure, a medium probability of exploitation is reasonable. No public proof-of-concept exploits have been released.
Organizations using @backstage/plugin-techdocs-node with the runIn: local configuration are at significant risk. This includes teams that rely on automated documentation generation pipelines and allow external contributors to modify repository content. Shared hosting environments where multiple users have access to repository configurations are also particularly vulnerable.
• nodejs / server:
find /path/to/techdocs/ -name 'mkdocs.yml' -print0 | xargs -0 grep -i 'hooks:'• nodejs / server:
npm list @backstage/plugin-techdocs-node• generic web:
Inspect mkdocs.yml files in repositories managed by TechDocs for the presence of the hooks configuration key.
disclosure
Exploit Status
EPSS
0.02% (6% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-25153 is to upgrade to @backstage/plugin-techdocs-node version 1.14.1 or later. This version introduces an allowlist of supported MkDocs configuration keys, effectively removing the hooks configuration and preventing arbitrary code execution. If upgrading immediately is not possible, consider temporarily disabling the runIn: local configuration, which significantly reduces the attack surface. Review all mkdocs.yml files within your repositories for any unusual or unexpected configurations. Implement strict access controls to prevent unauthorized modification of repository content. After upgrading, confirm the fix by inspecting the TechDocs build logs for warnings related to removed configuration keys.
Actualice el paquete `@backstage/plugin-techdocs-node` a la versión 1.13.11 o superior, o a la versión 1.14.1 o superior. Esto corrige la vulnerabilidad de ejecución de código arbitrario a través de los hooks de MkDocs. Si no puede actualizar inmediatamente, configure TechDocs con `runIn: docker` en lugar de `runIn: local` o limite quién puede modificar los archivos `mkdocs.yml`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-25153 is a remote code execution vulnerability in @backstage/plugin-techdocs-node versions up to 1.14.0, allowing attackers to execute Python code on the build server through malicious mkdocs.yml configurations.
You are affected if you are using @backstage/plugin-techdocs-node version 1.14.0 or earlier, and your TechDocs configuration uses runIn: local.
Upgrade to @backstage/plugin-techdocs-node version 1.14.1 or later. This version includes a fix that restricts allowed MkDocs configuration keys.
There is currently no public information indicating that CVE-2026-25153 is being actively exploited.
Refer to the official Backstage security advisory for details: [https://backstage.io/security/advisories](https://backstage.io/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.