Low severity2.6OSV Advisory· Published Aug 15, 2025· Updated Apr 15, 2026
CVE-2025-55285
CVE-2025-55285
Description
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@backstage/plugin-scaffolder-backendnpm | < 2.1.1 | 2.1.1 |
Affected products
2Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.