PatchSiren cyber security CVE debrief
CVE-2026-25153 backstage CVE debrief
CVE-2026-25153 is a high-severity vulnerability in the Backstage developer portal framework. The vulnerability affects @backstage/plugin-techdocs-node versions prior to 1.13.11 and 1.14.1. An attacker can exploit this vulnerability by submitting or modifying a repository's mkdocs.yml file to execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. The fix introduces an allowlist of supported MkDocs configuration keys and removes unsupported configuration keys, including hooks, from mkdocs.yml before running the generator.
- Vendor
- backstage
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-30
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-30
- Advisory updated
- 2026-06-30
Who should care
Users of Backstage and @backstage/plugin-techdocs-node should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to versions 1.13.11 or 1.14.1 of @backstage/plugin-techdocs-node, configuring TechDocs with runIn: docker, limiting who can modify mkdocs.yml files, and implementing PR review requirements for changes to mkdocs.yml files.
Technical summary
The vulnerability is caused by the lack of validation and sanitization of user-input data in the mkdocs.yml file. This allows an attacker to inject arbitrary Python code, which can be executed on the TechDocs build server. The fix addresses this issue by introducing an allowlist of supported MkDocs configuration keys and removing unsupported configuration keys, including hooks, from mkdocs.yml before running the generator. This prevents an attacker from injecting malicious code via the hooks configuration.
Defensive priority
High
Recommended defensive actions
- Upgrade to versions 1.13.11 or 1.14.1 of @backstage/plugin-techdocs-node
- Configure TechDocs with runIn: docker to provide container isolation
- Limit who can modify mkdocs.yml files in repositories that TechDocs processes
- Implement PR review requirements for changes to mkdocs.yml files
- Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks
Evidence notes
The CVE-2026-25153 vulnerability was publicly disclosed on January 30, 2026, and has a CVSS score of 7.7. The vulnerability affects @backstage/plugin-techdocs-node versions prior to 1.13.11 and 1.14.1. The fix introduces an allowlist of supported MkDocs configuration keys and removes unsupported configuration keys, including hooks, from mkdocs.yml before running the generator.
Official resources
-
CVE-2026-25153 CVE record
CVE.org
-
CVE-2026-25153 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.