Description

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.

INFO

Published Date :

2025-08-15T17:10:26.735Z

Last Modified :

2025-08-15T17:49:24.677Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55285 vulnerability.

Vendors Products
Backstage
  • Backstage
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55285.

URL Resource
https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e cve-icon cve-icon cve-icon
https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-55285 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-55285 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact