Listen to this Post
This vulnerability occurs in the TechDocs local generator (techdocs.generator.runIn: local) of the Backstage software catalog. When building documentation from untrusted sources, MkDocs follows symbolic links present within the documentation source directory. An attacker can embed a symlink pointing to a sensitive file on the host filesystem. During the build process, the target file’s content is read and embedded into the final generated HTML. This allows unauthorized users who can view the resulting documentation to read arbitrary files from the host system where the Backstage instance is running, leading to information disclosure.
Platform: Backstage (@backstage/plugin-techdocs-node)
Version: >=1.14.0, <1.13.11
Vulnerability: Path Traversal
Severity: Moderate
Date: 2026-01-30
Prediction: Patch expected by 2026-02-06
What Undercode Say:
find ./docs -type l -ls cat app-config.yaml | grep techdocs.generator.runIn ln -s /etc/passwd ./docs/secret.link
app-config.yaml (Vulnerable) techdocs: generator: runIn: local
How Exploit:
1. Attacker controls docs source.
2. Inserts symbolic link to `/etc/shadow`.
3. Pushes or triggers documentation build.
- MkDocs follows symlink, includes file content in HTML.
- Attacker views published docs to read embedded secrets.
Protection from this CVE
- Upgrade to patched version (1.14.1 or 1.13.11).
- Set `techdocs.generator.runIn: docker` in config.
- Sanitize documentation source input.
- Isolate Backstage build environment.
Impact:
Arbitrary host file read, Information disclosure, Potential privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

