CVE-2026-25153
Arbitrary Code Execution via MkDocs Hooks in Backstage TechDocs Node
Publication date: 2026-01-30
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | backstage | to 1.13.11 (exc) |
| linuxfoundation | backstage | From 1.14.0 (inc) to 1.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1 when TechDocs is configured with 'runIn: local'. A malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. The vulnerability arises because unsupported configuration keys, including 'hooks', were not removed before running the generator, allowing code execution through MkDocs hooks.
How can this vulnerability impact me? :
The vulnerability can allow a malicious actor to execute arbitrary Python code on the TechDocs build server. This can lead to unauthorized code execution, potentially compromising the build server's confidentiality, integrity, and availability. The CVSS score indicates high impact on confidentiality and availability, and low impact on integrity, meaning sensitive data could be exposed or the system could be disrupted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unauthorized or malicious modifications to the mkdocs.yml file in repositories processed by TechDocs. Since the vulnerability arises from malicious hooks configurations in mkdocs.yml, you should audit changes to these files, especially looking for the presence of unsupported keys like 'hooks'. Implementing PR review requirements for mkdocs.yml changes can help detect malicious configurations before merging. Specific commands are not provided in the context.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade @backstage/plugin-techdocs-node to version 1.13.11 or 1.14.1 or later, which contain the fix that removes unsupported keys like 'hooks' from mkdocs.yml. 2) Configure TechDocs with 'runIn: docker' instead of 'runIn: local' to provide container isolation, although this does not fully mitigate the risk. 3) Limit who can modify mkdocs.yml files to trusted contributors only. 4) Implement PR review requirements for changes to mkdocs.yml to detect malicious hooks configurations before merging. 5) Optionally, use MkDocs versions earlier than 1.4.0 (e.g., 1.3.1) which do not support hooks, though this may limit access to newer features. Note that building documentation in CI/CD pipelines using @techdocs/cli does not mitigate the vulnerability as it uses the same vulnerable package.