Backstage Plugin Techdocs Node
Monthly
Arbitrary code execution in Backstage's @backstage/plugin-techdocs-node (versions <= 1.14.2) allows attackers who can influence an mkdocs.yml file to run arbitrary Python during the documentation build, bypassing TechDocs' allowlist-based configuration filtering. The flaw stems from MkDocs configuration keys (notably the hooks feature) that the security allowlist failed to block, meaning any contributor able to merge or supply a crafted mkdocs.yml gains code execution on the build host. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS 9.8 rating and trivial exploitation primitive make this a high-priority patch for self-hosted developer portals.
Arbitrary code execution in Backstage's @backstage/plugin-techdocs-node (versions <= 1.14.2) allows attackers who can influence an mkdocs.yml file to run arbitrary Python during the documentation build, bypassing TechDocs' allowlist-based configuration filtering. The flaw stems from MkDocs configuration keys (notably the hooks feature) that the security allowlist failed to block, meaning any contributor able to merge or supply a crafted mkdocs.yml gains code execution on the build host. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS 9.8 rating and trivial exploitation primitive make this a high-priority patch for self-hosted developer portals.