CVE-2025-55285

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-scaffolder-backend versions prior to 2.1.1

Description: The backend for the default Backstage software templates exhibited duplicate logging of input values in the fetch:template action within the Scaffolder. This resulted in improper redaction of secrets. The issue occurs when the variable ${{ secrets.x }} is passed to the fetch:template action.

Recommendations: Versions prior to 2.1.1 should be updated to version 2.1.1 or later. Template Authors can remove the use of ${{ secrets }} as an argument to fetch:template.