ByteOS Network

CVE Vulnerability Details :

CVE-2025-55285

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-15 Aug, 2025 | 17:10

Updated At-15 Aug, 2025 | 17:49

▼CVE Numbering Authority (CNA)

@backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template`

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.

Affected Products

Vendor

backstage

Product

backstage

Versions

Affected

< 2.1.1

Problem Types

Type	CWE ID	Description
CWE	CWE-532	CWE-532: Insertion of Sensitive Information into Log File

Metrics

Version	Base score	Base severity	Vector
3.1	2.6	LOW	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/backstage/backstage/security/advisories/GHSA-3x3q-ghcp-whf7	x_refsource_CONFIRM
https://github.com/backstage/backstage/commit/c371f6fe12371de31dca537510e6653e287cdc2e	x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References