npm package
@backstage/plugin-scaffolder-backend
pkg:npm/%40backstage/plugin-scaffolder-backend
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32237 | Med | 4.4 | >= 3.1.0, < 3.1.5 | 3.1.5 | Mar 12, 2026 | Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output | |
| CVE-2026-29184 | Low | 2.0 | < 3.1.4 | 3.1.4 | Mar 7, 2026 | Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4. | |
| CVE-2026-24046 | Hig | 7.1 | < 2.2.2 | 2.2.2 | Jan 21, 2026 | Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read a | |
| CVE-2025-55285 | Low | 2.6 | < 2.1.1 | 2.1.1 | Aug 15, 2025 | @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets | |
| CVE-2023-35926 | — | < 1.15.0 | 1.15.0 | Jun 22, 2023 | Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past | ||
| CVE-2021-43783 | — | < 0.15.14 | 0.15.14 | Nov 29, 2021 | @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the s | ||
| CVE-2021-41151 | — | >= 0.9.4, < 0.15.9 | 0.15.9 | Oct 18, 2021 | Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request |
- affected >= 3.1.0, < 3.1.5fixed 3.1.5
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output
- affected < 3.1.4fixed 3.1.4
Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.
- affected < 2.2.2fixed 2.2.2
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read a
- affected < 2.1.1fixed 2.1.1
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets
- CVE-2023-35926Jun 22, 2023affected < 1.15.0fixed 1.15.0
Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past
- CVE-2021-43783Nov 29, 2021affected < 0.15.14fixed 0.15.14
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the s
- CVE-2021-41151Oct 18, 2021affected >= 0.9.4, < 0.15.9fixed 0.15.9
Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request