CVE-2026-25153
@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
Description
### Impact When TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. ### Patches Upgrade to `@backstage/plugin-techdocs-node` version 1.13.11, 1.14.1 or later. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. **Note**: Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. ### Workarounds If you cannot upgrade immediately: 1. Use Docker mode with restricted access: Configure TechDocs with `runIn: docker` instead of `runIn: local`. This provides container isolation, though it does not fully mitigate the risk. 2. Restrict repository access: Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes. Only allow trusted contributors. 3. Manual review: Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. 4. Downgrade MkDocs: Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. **Note**: Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package. ### References [MkDocs Hooks Documentation](https://www.mkdocs.org/user-guide/configuration/#hooks) [MkDocs 1.4 Release Notes](https://www.mkdocs.org/about/release-notes/#version-14-2022-09-27) [TechDocs Architecture](https://backstage.io/docs/features/techdocs/architecture)
How to fix CVE-2026-25153
To remediate CVE-2026-25153, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.1 or later
Is CVE-2026-25153 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.