CVE-2025-55285

CVSS v3.1

2.6

Vector

AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-scaffolder-backend versions prior to 2.1.1

Description: The backend for the default Backstage software templates exhibited duplicate logging of input values in the

fetch:template

action within the Scaffolder. This resulted in improper redaction of secrets. The issue occurs when the variable

${{ secrets.x }}

is passed to the

fetch:template

action.

Recommendations: Versions prior to 2.1.1 should be updated to version 2.1.1 or later. Template Authors can remove the use of

${{ secrets }}

as an argument to

fetch:template

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

CVE-2025-55285

GHSA-3X3Q-GHCP-WHF7

@Backstage/Plugin-Scaffolder-Backend