CVE-2026-25153

Date: January 30, 2026

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with "runIn: local", a malicious actor who can submit or modify a repository's "mkdocs.yml" file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including "hooks") are now removed from "mkdocs.yml" before running the generator, with a warning logged to indicate which keys were removed. Users of "@techdocs/cli" should also upgrade to the latest version, which includes the fixed "@backstage/plugin-techdocs-node" dependency. Some workarounds are available. Configure TechDocs with "runIn: docker" instead of "runIn: local" to provide container isolation, though it does not fully mitigate the risk. Limit who can modify "mkdocs.yml" files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to "mkdocs.yml" files to detect malicious "hooks" configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using "@techdocs/cli" does not mitigate this vulnerability, as the CLI uses the same vulnerable "@backstage/plugin-techdocs-node" package.