CVE-2026-25152 in Backstage
Summary
by MITRE • 01/31/2026
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2026-25152 affects Backstage's @backstage/plugin-techdocs-node component, specifically impacting versions prior to 1.13.11 and 1.14.1. This path traversal vulnerability emerges within the TechDocs local generator functionality when Backstage is configured to execute documentation generation in local mode through the `techdocs.generator.runIn: local` setting. The flaw represents a critical security weakness that enables unauthorized access to sensitive files on the host system, creating a significant risk for organizations utilizing Backstage's developer portal framework.
The technical implementation of this vulnerability stems from how MkDocs processes symlinks within documentation directories during the build process. When Backstage processes documentation from untrusted sources, the system follows symbolic links that point to files outside the intended documentation scope. This behavior allows attackers to craft malicious documentation content that includes carefully constructed symlinks pointing to sensitive system files. The MkDocs tool then resolves these symlinks and embeds the contents of the referenced files into the generated HTML documentation, making the sensitive data accessible to users who can view the documentation.
This vulnerability directly maps to CWE-22 Path Traversal and aligns with ATT&CK technique T1059.007 Command and Scripting Interpreter: Python, as it leverages the Python-based MkDocs tool to execute commands that traverse file system boundaries. The operational impact is severe since the vulnerability can be exploited by attackers who gain access to the documentation generation process or by compromising repositories that feed documentation into Backstage. Organizations running Backstage with local documentation generation enabled are particularly vulnerable, as the attack surface includes any user who can contribute to documentation repositories or who has write access to the documentation source directories.
The security implications extend beyond simple file reading capabilities, as attackers could potentially access configuration files, secret tokens, or other sensitive artifacts stored in the filesystem. This vulnerability particularly affects organizations that trust documentation sources without proper validation, as the exploitation requires no elevated privileges beyond access to write documentation content. The fix implemented in versions 1.13.11 and 1.14.1 addresses this by modifying the file handling process to prevent symlinks from being followed during documentation generation. Organizations should immediately upgrade to these patched versions to eliminate the risk of arbitrary file read attacks.
Multiple mitigation strategies are available for organizations unable to upgrade immediately. The primary recommended approach involves switching the documentation generation mode from local to docker execution by configuring `runIn: docker` in the app-config.yaml file. This containerized approach provides additional isolation between the documentation generation process and the host filesystem, effectively preventing path traversal attacks. Additionally, organizations should implement strict access controls by restricting write permissions to TechDocs source repositories only to trusted users, thereby limiting the attack surface. These workarounds provide temporary protection while organizations plan their upgrade strategies, though the most effective long-term solution remains the adoption of the patched versions that contain the proper file system traversal protections.