{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25153", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.822Z", "datePublished": "2026-01-30T21:31:58.870Z", "dateUpdated": "2026-02-02T16:29:34.938Z"}, "containers": {"cna": {"title": "@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf"}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"version": "< 1.13.11", "status": "affected"}, {"version": "= 1.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T21:31:58.870Z"}, "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package."}], "source": {"advisory": "GHSA-6jr7-99pf-8vgf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T16:25:14.817846Z", "id": "CVE-2026-25153", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:29:34.938Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25153", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T16:25:14.817846Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:25:15.688Z"}}], "cna": {"title": "@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks", "source": {"advisory": "GHSA-6jr7-99pf-8vgf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "backstage", "product": "backstage", "versions": [{"status": "affected", "version": "< 1.13.11"}, {"status": "affected", "version": "= 1.14.0"}]}], "references": [{"url": "https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf", "name": "https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T21:31:58.870Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25153", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:29:34.938Z", "dateReserved": "2026-01-29T15:39:11.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-30T21:31:58.870Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*", "matchCriteriaId": "086F7DE4-8356-4AE3-9E29-B852A5C4B2DB", "versionEndExcluding": "1.13.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:backstage:*:*:*:*:*:*:*:*", "matchCriteriaId": "0393AC7C-1889-4869-ABAF-1C5D96CA2C06", "versionEndExcluding": "1.14.1", "versionStartIncluding": "1.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package."}], "id": "CVE-2026-25153", "lastModified": "2026-02-19T15:26:37.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-30T22:15:56.343", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "@backstage/plugin-techdocs-node: @backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks", "id": "2435576", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435576"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-94", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25153", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-01-30T21:31:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25153\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25153\nhttps://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T01:02:32.242502+00:00", "value": {"mitigation_remediation": ["Upgrade @backstage/plugin\u2011techdocs\u2011node to 1.13.11 or later (or 1.14.1 or later) and ensure @techdocs/cli uses the updated plugin. ", "Reconfigure TechDocs to run in Docker instead of local to isolate the build environment, noting that this does not fully mitigate the risk. ", "Restrict write permissions on mkdocs.yml files in source repositories, enforce pull\u2011request review requirements, and set up CI checks to reject unsupported hooks keys. ", "As a temporary measure, use a MkDocs version earlier than 1.4.0, which does not support hooks, to prevent injection."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary Code Execution on Documentation Build Server"}, "threat_synthesis": {"affected_systems": "Backstage instances that use @backstage/plugin\u2011techdocs\u2011node before version 1.13.11 and before 1.14.1 are affected. These versions ship with the Backstage framework and are also used by the @techdocs/cli tool. Upgrading to version 1.13.11 or later, or to 1.14.1 or later, eliminates the vulnerability.", "description_and_impact": "The flaw is in @backstage/plugin\u2011techdocs\u2011node and allows a malicious actor who can edit a repository\u2019s mkdocs.yml file to inject arbitrary Python code that is executed during the local build of TechDocs. This grants the attacker full control of the build server where documentation is generated and can lead to compromise of the host system. The weakness is a code injection flaw (CWE\u201194).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.7 with an EPSS of less than 1%, and it is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to add or alter a mkdocs.yml file in a repository that TechDocs processes; if the build is run locally, the injected hooks code runs with the privileges of the build service. The risk is that an attacker who can modify repository content or influence pull requests can cause arbitrary code execution on the build server. Although running TechDocs in Docker mitigates process isolation, it does not fully eliminate the possibility of code injection. The risk is therefore significant for environments where local builds are performed and where repository write access is not tightly controlled."}}}}, "created": "2026-02-02T09:26:46.061563+00:00", "updated": "2026-04-18T01:15:05.978119+00:00", "vendors": ["backstage", "backstage$PRODUCT$backstage"]}