CVE-2026-25152: @backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator

February 2, 2026

A path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with techdocs.generator.runIn: local.

When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation.

References

github.com/advisories/GHSA-w669-jj7h-88m9
github.com/backstage/backstage
github.com/backstage/backstage/commit/08f388e3394b133171fe13b62a78caf14407b9c3
github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9
nvd.nist.gov/vuln/detail/CVE-2026-25152

Code Behaviors & Features

Detect and mitigate CVE-2026-25152 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →