CVE-2026-25153

HighRCE

Published: 30 January 2026

Published

30 January 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score 0.0003 7.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25153 is a high-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Backstage. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through upgrading @backstage/plugin-techdocs-node to patched versions 1.13.11 or 1.14.1 directly eliminates the code injection vulnerability in TechDocs local mode.

SI-10 Information Input Validation good match

prevent

Information input validation on mkdocs.yml files via allowlisting supported keys and removing unsupported ones like hooks prevents arbitrary Python code execution during TechDocs generation.

CM-5 Access Restrictions for Change partial match

prevent

Access restrictions for changes to mkdocs.yml files, enforced through PR reviews and limiting modifiers to trusted contributors, blocks malicious configurations from reaching the build server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables server-side RCE via malicious mkdocs.yml exploiting Python hooks in local TechDocs build (CWE-94), directly mapping to public-facing app exploitation (T1190) and Python command interpreter execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or…

modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package.

Deeper analysisAI

CVE-2026-25153 is a code injection vulnerability (CWE-94) in the @backstage/plugin-techdocs-node package, a component of the Backstage open framework for building developer portals. It affects versions prior to 1.13.11 and 1.14.1 when TechDocs is configured with `runIn: local`. In this setup, a malicious `mkdocs.yml` file submitted or modified in a repository can exploit MkDocs hooks configuration to execute arbitrary Python code on the TechDocs build server. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L).

An attacker with low privileges (PR:L) who can submit or modify a repository's `mkdocs.yml` file processed by TechDocs can exploit this over the network, though it requires high attack complexity (AC:H). Successful exploitation allows arbitrary Python code execution on the build server, potentially leading to high confidentiality impact, low integrity and availability impacts, and scope change due to server-side execution.

The Backstage security advisory (GHSA-6jr7-99pf-8vgf) recommends upgrading to @backstage/plugin-techdocs-node versions 1.13.11 or 1.14.1, which introduce an allowlist of supported MkDocs configuration keys and remove unsupported ones like `hooks` before generation, logging warnings for removed keys. Users of @techdocs/cli should also upgrade to the latest version incorporating the fixed dependency. Workarounds include switching TechDocs to `runIn: docker` for container isolation (partial mitigation), restricting `mkdocs.yml` modifications to trusted contributors with PR review requirements, or using MkDocs versions below 1.4.0 that lack hooks support; note that building in CI/CD pipelines with @techdocs/cli does not mitigate the issue.