PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25153 backstage CVE debrief

CVE-2026-25153 is a high-severity vulnerability in the Backstage developer portal framework. The vulnerability affects @backstage/plugin-techdocs-node versions prior to 1.13.11 and 1.14.1. An attacker can exploit this vulnerability by submitting or modifying a repository's mkdocs.yml file to execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. The fix introduces an allowlist of supported MkDocs configuration keys and removes unsupported configuration keys, including hooks, from mkdocs.yml before running the generator.

Vendor
backstage
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-30
Original CVE updated
2026-06-30
Advisory published
2026-01-30
Advisory updated
2026-06-30

Who should care

Users of Backstage and @backstage/plugin-techdocs-node should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to versions 1.13.11 or 1.14.1 of @backstage/plugin-techdocs-node, configuring TechDocs with runIn: docker, limiting who can modify mkdocs.yml files, and implementing PR review requirements for changes to mkdocs.yml files.

Technical summary

The vulnerability is caused by the lack of validation and sanitization of user-input data in the mkdocs.yml file. This allows an attacker to inject arbitrary Python code, which can be executed on the TechDocs build server. The fix addresses this issue by introducing an allowlist of supported MkDocs configuration keys and removing unsupported configuration keys, including hooks, from mkdocs.yml before running the generator. This prevents an attacker from injecting malicious code via the hooks configuration.

Defensive priority

High

Recommended defensive actions

  • Upgrade to versions 1.13.11 or 1.14.1 of @backstage/plugin-techdocs-node
  • Configure TechDocs with runIn: docker to provide container isolation
  • Limit who can modify mkdocs.yml files in repositories that TechDocs processes
  • Implement PR review requirements for changes to mkdocs.yml files
  • Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks

Evidence notes

The CVE-2026-25153 vulnerability was publicly disclosed on January 30, 2026, and has a CVSS score of 7.7. The vulnerability affects @backstage/plugin-techdocs-node versions prior to 1.13.11 and 1.14.1. The fix introduces an allowlist of supported MkDocs configuration keys and removes unsupported configuration keys, including hooks, from mkdocs.yml before running the generator.

Official resources

This article was generated with AI assistance based on the supplied source corpus.