Vulnerability	Vulnerable Version
H Directory Traversal @backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli Affected versions of this package are vulnerable to Directory Traversal via the `TechdocsGenerator` function when processing documentation from untrusted sources. An attacker can access sensitive files outside the intended directory by submitting symlinks within the docs, resulting in file contents being embedded into generated HTML and exposed to users who can view the documentation. How to fix Directory Traversal? Upgrade `@backstage/plugin-techdocs-node` to version 1.13.11, 1.14.1 or higher.	<1.13.11>=1.14.0 <1.14.1
H Arbitrary Code Injection @backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of MkDocs hooks, when TechDocs is configured with `runIn: local`. An attacker who can submit or modify a repository's `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. How to fix Arbitrary Code Injection? Upgrade `@backstage/plugin-techdocs-node` to version 1.13.11, 1.14.1 or higher.	<1.13.11>=1.14.0 <1.14.1

Directory Traversal

@backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli

Affected versions of this package are vulnerable to Directory Traversal via the TechdocsGenerator function when processing documentation from untrusted sources. An attacker can access sensitive files outside the intended directory by submitting symlinks within the docs, resulting in file contents being embedded into generated HTML and exposed to users who can view the documentation.

How to fix Directory Traversal?

Upgrade @backstage/plugin-techdocs-node to version 1.13.11, 1.14.1 or higher.

<1.13.11>=1.14.0 <1.14.1

Arbitrary Code Injection

@backstage/plugin-techdocs-node is a Common node.js functionalities for TechDocs, to be shared between techdocs-backend plugin and techdocs-cli

Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of MkDocs hooks, when TechDocs is configured with runIn: local. An attacker who can submit or modify a repository's mkdocs.yml file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration.

How to fix Arbitrary Code Injection?

Upgrade @backstage/plugin-techdocs-node to version 1.13.11, 1.14.1 or higher.

<1.13.11>=1.14.0 <1.14.1

Go back to all versions of this package