CVE-2025-55285
Description
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@backstage/plugin-scaffolder-backendnpm | < 2.1.1 | 2.1.1 |
Affected products
1Patches
1c371f6fe1237chore: dont log splat values in logger
1 file changed · +5 −6
plugins/scaffolder-backend/src/scaffolder/tasks/logger.ts+5 −6 modified@@ -61,23 +61,22 @@ export class BackstageLoggerTransport extends Transport { const message = info[MESSAGE]; const level = info[LEVEL]; - const splat = info[SPLAT]; switch (level) { case 'error': - this.backstageLogger.error(String(message), ...splat); + this.backstageLogger.error(String(message)); break; case 'warn': - this.backstageLogger.warn(String(message), ...splat); + this.backstageLogger.warn(String(message)); break; case 'info': - this.backstageLogger.info(String(message), ...splat); + this.backstageLogger.info(String(message)); break; case 'debug': - this.backstageLogger.debug(String(message), ...splat); + this.backstageLogger.debug(String(message)); break; default: - this.backstageLogger.info(String(message), ...splat); + this.backstageLogger.info(String(message)); } this.taskContext.emitLog(message, { stepId: this.stepId });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.