CVE-2026-25153 Overview
CVE-2026-25153 is a Code Injection vulnerability affecting the @backstage/plugin-techdocs-node package in the Backstage open-source developer portal framework. When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. This vulnerability allows attackers with repository write access to achieve remote code execution on the build infrastructure.
Critical Impact
Attackers with the ability to modify mkdocs.yml files can execute arbitrary Python code on TechDocs build servers, potentially leading to complete server compromise, data exfiltration, and lateral movement within the infrastructure.
Affected Products
- @backstage/plugin-techdocs-node versions prior to 1.13.11
- @backstage/plugin-techdocs-node versions 1.14.x prior to 1.14.1
- @techdocs/cli using vulnerable @backstage/plugin-techdocs-node dependencies
Discovery Timeline
- 2026-01-30 - CVE CVE-2026-25153 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-25153
Vulnerability Analysis
This vulnerability stems from the insecure processing of MkDocs configuration files within the TechDocs plugin. MkDocs, starting from version 1.4.0, introduced support for hooks—custom Python scripts that can be executed during the documentation build process. When TechDocs is configured with runIn: local, the build process runs directly on the host system without containerization, allowing any Python code specified in the hooks configuration to execute with the privileges of the TechDocs service.
The attack surface is particularly concerning in organizations where multiple developers or external contributors can submit changes to documentation repositories. An attacker only needs to insert a malicious hooks entry into an mkdocs.yml file to gain code execution on the build server.
Root Cause
The root cause is classified as CWE-94 (Improper Control of Generation of Code). The vulnerable versions of @backstage/plugin-techdocs-node did not validate or sanitize the contents of mkdocs.yml configuration files before passing them to the MkDocs generator. Specifically, the MkDocs hooks configuration key allows arbitrary Python scripts to be specified and executed during the build process. Without an allowlist of permitted configuration keys, attackers could inject the hooks directive to execute malicious code.
Attack Vector
The attack is network-accessible but requires low-level privileges—specifically, the ability to modify files in a repository that TechDocs processes. The attack complexity is considered high as it requires specific environmental conditions: TechDocs must be configured with runIn: local, and the attacker must have the capability to modify mkdocs.yml files in processed repositories.
An attacker exploiting this vulnerability would craft a malicious mkdocs.yml file containing a hooks configuration pointing to a Python script that executes arbitrary commands. When TechDocs processes the documentation, MkDocs loads and executes the hook script, granting the attacker code execution on the build server. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component's security scope—potentially compromising the underlying build infrastructure and any secrets or credentials accessible to the TechDocs service.
Detection Methods for CVE-2026-25153
Indicators of Compromise
- Unexpected hooks entries appearing in mkdocs.yml files within monitored repositories
- Unusual Python script files in documentation directories that are referenced by hooks configurations
- Anomalous process execution on TechDocs build servers, particularly Python processes spawning shell commands
- Network connections from TechDocs build servers to unexpected external destinations
Detection Strategies
- Implement file integrity monitoring for mkdocs.yml files across all repositories processed by TechDocs
- Configure code review automation to flag any pull requests that add or modify hooks configurations in MkDocs files
- Deploy endpoint detection and response (EDR) solutions on TechDocs build servers to monitor for suspicious process chains
- Enable comprehensive logging for the TechDocs build process to capture all configuration changes and build activities
Monitoring Recommendations
- Set up alerts for any modifications to mkdocs.yml files that introduce the hooks keyword
- Monitor TechDocs build server logs for warnings about removed configuration keys (introduced in the patched versions)
- Establish baseline behavior for TechDocs build processes and alert on deviations such as unexpected network activity or file system access
- Review access logs for repositories to identify unauthorized modifications to documentation configuration files
How to Mitigate CVE-2026-25153
Immediate Actions Required
- Upgrade @backstage/plugin-techdocs-node to version 1.13.11 or 1.14.1 or later immediately
- Upgrade @techdocs/cli to the latest version that includes the fixed @backstage/plugin-techdocs-node dependency
- Audit all mkdocs.yml files in repositories processed by TechDocs for any existing hooks configurations
- Review recent changes to documentation repositories for any suspicious modifications to MkDocs configuration files
Patch Information
The vulnerability has been addressed in @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys, including hooks, are now automatically removed from mkdocs.yml before running the generator, with a warning logged to indicate which keys were removed.
For detailed patch information and security advisory, refer to the GitHub Security Advisory GHSA-6jr7-99pf-8vgf.
Workarounds
- Configure TechDocs with runIn: docker instead of runIn: local to provide container isolation; note this does not fully mitigate the risk but adds a layer of defense
- Restrict repository permissions to limit who can modify mkdocs.yml files—only allow trusted contributors
- Implement mandatory PR review requirements for changes to mkdocs.yml files to detect malicious hooks configurations before merging
- Downgrade MkDocs to a version prior to 1.4.0 (e.g., 1.3.1) which does not support hooks, though this may limit access to newer MkDocs features
# Configuration example for switching to Docker-based TechDocs builds
# In your Backstage app-config.yaml:
techdocs:
generator:
runIn: docker # Change from 'local' to 'docker' for container isolation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
