GHSA-W669-JJ7H-88M9

Vulnerability from github – Published: 2026-02-02 14:36 – Updated: 2026-02-02 14:36
VLAI?
Summary
@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator
Details

Impact

A path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with techdocs.generator.runIn: local.

When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation.

Patches

This vulnerability is fixed in@backstage/plugin-techdocs-node version X.X.X. Users should upgrade to this version or later.

Workarounds

  • Switch to runIn: docker in your app-config.yaml:
  techdocs:
    generator:
      runIn: docker
  • Restrict write access to TechDocs source repositories to trusted users only

References

  • https://backstage.io/docs/features/techdocs/configuration
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/plugin-techdocs-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.14.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/plugin-techdocs-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T14:36:39Z",
    "nvd_published_at": "2026-01-30T22:15:56Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`.\n\nWhen processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation.\n\n### Patches\nThis vulnerability is fixed in` @backstage/plugin-techdocs-node` version X.X.X. Users should upgrade to this version or later.\n\n### Workarounds\n- Switch to `runIn: docker` in your `app-config.yaml`:\n```yaml\n  techdocs:\n    generator:\n      runIn: docker\n```\n  - Restrict write access to TechDocs source repositories to trusted users only\n\n### References\n- https://backstage.io/docs/features/techdocs/configuration",
  "id": "GHSA-w669-jj7h-88m9",
  "modified": "2026-02-02T14:36:39Z",
  "published": "2026-02-02T14:36:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/08f388e3394b133171fe13b62a78caf14407b9c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.