CVE-2025-55285: Template Secret leakage in logs in Scaffolder when using `fetch:template`

August 15, 2025 (updated September 26, 2025)

A logging flaw in Backstage Scaffolder’s fetch:template action up to @backstage/plugin-scaffolder-backend 2.1.0 may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the {{ secrets }} bag could appear in local/server logs when the action ran. Exploitation requires use of the secrets argument and access to Scaffolder/build logs; integrity and availability are unaffected.

Fix: upgrade to 2.1.1, which removes the duplicate log path and ensures secrets are redacted.
Mitigation: avoid passing {{ secrets }} to fetch:template if upgrade is not possible.

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

References

Code Behaviors & Features

Detect and mitigate CVE-2025-55285 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →