Backstage up to 1.13.10/1.14.0 MkDocs Feature code injection

Summaryinfo

A vulnerability, which was classified as critical, has been found in Backstage up to 1.13.10/1.14.0. This issue affects some unknown processing of the component MkDocs Feature. The manipulation leads to code injection. This vulnerability is traded as CVE-2026-25153. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in Backstage up to 1.13.10/1.14.0 and classified as critical. This issue affects an unknown functionality of the component MkDocs Feature. The manipulation with an unknown input leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-25153 since 01/29/2026. The exploitation is known to be difficult. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1059 for this issue.

Upgrading to version 1.13.11 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-5004). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Backstage

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 1.12
• 1.13
• 1.13.0
• 1.13.1
• 1.13.2
• 1.13.3
• 1.13.4
• 1.13.5
• 1.13.6
• 1.13.7
• 1.13.8
• 1.13.9
• 1.13.10
• 1.14.0

Website

• Product: https://github.com/backstage/backstage/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion