CVE-2026-25152
📋 TL;DR
A path traversal vulnerability in Backstage's TechDocs local generator allows attackers to read arbitrary files from the host filesystem when processing documentation from untrusted sources. This affects Backstage instances configured with `techdocs.generator.runIn: local` where symlinks in documentation directories are followed during MkDocs builds, exposing file contents in generated HTML. Organizations using affected versions of @backstage/plugin-techdocs-node with local generation are vulnerable.
💻 Affected Systems
- Backstage
- @backstage/plugin-techdocs-node
📦 What is this software?
Backstage by Linuxfoundation
Backstage by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files (passwords, configuration files, SSH keys) and embed them into publicly accessible documentation pages, leading to full system compromise.
Likely Case
Unauthorized users reading internal configuration files, source code, or credentials from the host filesystem through manipulated documentation repositories.
If Mitigated
Limited to reading only files accessible by the Backstage process user, with no ability to modify files or execute code.
🎯 Exploit Status
Exploitation requires ability to create/modify documentation repositories that Backstage processes. The vulnerability is straightforward to exploit once an attacker can control documentation content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1
Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9
Restart Required: Yes
Instructions:
1. Update @backstage/plugin-techdocs-node to version 1.13.11 or 1.14.1 using npm or yarn. 2. Restart the Backstage application. 3. Verify the fix by checking the package version.
🔧 Temporary Workarounds
Switch to Docker generation
allChange TechDocs configuration to use Docker generation instead of local generation
In app-config.yaml, change `techdocs.generator.runIn: local` to `techdocs.generator.runIn: docker`
Restrict repository access
allLimit write access to TechDocs source repositories to trusted users only
🧯 If You Can't Patch
- Switch TechDocs configuration to use Docker generation mode instead of local generation
- Implement strict access controls on documentation repositories and audit all existing documentation for symlinks
🔍 How to Verify
Check if Vulnerable:
Check app-config.yaml for `techdocs.generator.runIn: local` and verify @backstage/plugin-techdocs-node version is below 1.13.11 or between 1.14.0 and 1.14.1Check Version:
npm list @backstage/plugin-techdocs-node or check package.jsonVerify Fix Applied:
Confirm @backstage/plugin-techdocs-node version is 1.13.11 or 1.14.1+ and that the application restarted successfully📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns during TechDocs generation
- Large HTML output sizes from TechDocs endpoints
- Errors related to symlink resolution in MkDocs logs
Network Indicators:
- Unusually large TechDocs page responses containing encoded or unexpected data
SIEM Query:
source="backstage-logs" AND ("symlink" OR "path traversal" OR "MkDocs error")