Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-3x3q-ghcp-whf7: Template Secret leakage in logs in Scaffolder when using `fetch:template`

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you’re not passing through ${{ secrets.x }} to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of ${{ secrets }} being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README

ghsa
Open in Source
#vulnerability#web#nodejs#git#intel#perl#auth

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Spark New

      Build and deploy intelligent apps

    • GitHub Models New

      Manage and compare prompts

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

*   Codespaces
    
    Instant dev environments
    
*   Issues
    
    Plan and track work
    
*   Code Review
    
    Manage code changes
    
*   Discussions
    
    Collaborate outside of code
    
*   Code Search
    
    Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-55285

Template Secret leakage in logs in Scaffolder when using `fetch:template`

Low severity GitHub Reviewed Published Aug 15, 2025 in backstage/backstage • Updated Aug 15, 2025

Package

npm @backstage/plugin-scaffolder-backend (npm)

Affected versions

<= 2.1.0

Description

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you’re not passing through ${{ secrets.x }} to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of ${{ secrets }} being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README

References

  • GHSA-3x3q-ghcp-whf7
  • https://nvd.nist.gov/vuln/detail/CVE-2025-55285
  • backstage/backstage@c371f6f

Published to the GitHub Advisory Database

Aug 15, 2025

Last updated

Aug 15, 2025

EPSS score

ghsa: Latest News

GHSA-3x3q-ghcp-whf7: Template Secret leakage in logs in Scaffolder when using `fetch:template`
ghsa