CVE-2025-55285
BaseFortify
Publication date: 2025-08-15
Last updated on: 2025-08-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| backstage | plugin_scaffolder_backend | 2.1.0 |
| backstage | plugin_scaffolder_backend | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the @backstage/plugin-scaffolder-backend before version 2.1.1, where duplicate logging of input values in the fetch:template action caused some secrets to not be properly redacted. If secrets are not passed through to fetch:template, there is no impact. The issue has been fixed in version 2.1.1.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of some secrets due to improper redaction in logs, potentially leaking sensitive information. However, if secrets are not passed to fetch:template, there is no impact. The CVSS base score is low (2.6), indicating limited impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the @backstage/plugin-scaffolder-backend to version 2.1.1 or later. As a workaround, Template Authors should remove the use of ${{ secrets }} as an argument to fetch:template to avoid leaking secrets.