Bug 2388819 (CVE-2025-55285)

Summary:	CVE-2025-55285 @backstage/plugin-scaffolder-backend: @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	abarbaro, dhanak, drosa, dsimansk, jchui, jhe, kingland, ktsao, kverlaen, matzew, mnovotny, nboldt, psrna, sausingh
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw has been discovered in the @backstage/plugin-scaffolder-backend npm package that can lead to an information leak. The fetch:template action in the Scaffolder improperly duplicates logging of input values, which can bypass the intended redaction of secrets. This means that an attacker with access to the logging system may be able to recover sensitive information.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-08-15 18:01:12 UTC

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.