Advisories for Npm/@Backstage/Plugin-Techdocs-Node package

2026

@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator

A path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with techdocs.generator.runIn: local. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation.

@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks

When TechDocs is configured with runIn: local, a malicious actor who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration.

2022

Path traversal for local publishers in TechDocs backend

A malicious actor with the ability to register entities in the Software Catalog is able to write files to arbitrary paths on the techdocs backend host instance when techdocs.publisher.type is set to local.