Arbitrary Code Execution Vulnerability in Backstage TechDocs Plugin

CVE-2026-25153

What is CVE-2026-25153?

@backstage/plugin-techdocs-node, which provides essential functionalities for TechDocs, is susceptible to a serious issue where a malicious actor can execute arbitrary Python code on the TechDocs build server. This vulnerability arises when TechDocs is set to runIn: local, allowing unauthorized modifications to the mkdocs.yml file. In the affected versions prior to 1.13.11 and 1.14.1, improper handling of MkDocs hooks configuration could lead to exploitation. The subsequent updates have implemented an allowlist to filter supported configuration keys, significantly reducing the attack surface. Users are advised to upgrade to the latest versions and consider alternative configurations, such as utilizing runIn: docker for enhanced security. Furthermore, restricting access to mkdocs.yml file modifications and enforcing careful review processes can mitigate associated risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References