{"id":"GHSA-6jr7-99pf-8vgf","summary":"@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks","details":"### Impact\n\nWhen TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration.\n\n### Patches\n\nUpgrade to `@backstage/plugin-techdocs-node` version 1.13.11, 1.14.1 or later.\nThe fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed.\n\n**Note**: Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Use Docker mode with restricted access: Configure TechDocs with `runIn: docker` instead of `runIn: local`. This provides container isolation, though it does not fully mitigate the risk.\n2. Restrict repository access: Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes. Only allow trusted contributors.\n3. Manual review: Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged.\n4. Downgrade MkDocs: Use MkDocs \u003c 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features.\n\n**Note**: Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.\n\n### References\n\n[MkDocs Hooks Documentation](https://www.mkdocs.org/user-guide/configuration/#hooks)\n[MkDocs 1.4 Release Notes](https://www.mkdocs.org/about/release-notes/#version-14-2022-09-27)\n[TechDocs Architecture](https://backstage.io/docs/features/techdocs/architecture)","aliases":["CVE-2026-25153"],"modified":"2026-02-03T17:51:32.962569Z","published":"2026-02-02T20:19:58Z","database_specific":{"severity":"HIGH","cwe_ids":["CWE-94"],"github_reviewed":true,"github_reviewed_at":"2026-02-02T20:19:58Z","nvd_published_at":"2026-01-30T22:15:56Z"},"references":[{"type":"WEB","url":"https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25153"},{"type":"PACKAGE","url":"https://github.com/backstage/backstage"}],"affected":[{"package":{"name":"@backstage/plugin-techdocs-node","ecosystem":"npm","purl":"pkg:npm/%40backstage/plugin-techdocs-node"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.14.0"},{"fixed":"1.14.1"}]}],"versions":["1.14.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-6jr7-99pf-8vgf/GHSA-6jr7-99pf-8vgf.json"}},{"package":{"name":"@backstage/plugin-techdocs-node","ecosystem":"npm","purl":"pkg:npm/%40backstage/plugin-techdocs-node"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.13.11"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-6jr7-99pf-8vgf/GHSA-6jr7-99pf-8vgf.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L"}]}