GHSA-3x3q-ghcp-whf7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3x3q-ghcp-whf7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-3x3q-ghcp-whf7/GHSA-3x3q-ghcp-whf7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3x3q-ghcp-whf7
- Aliases
- Published
- 2025-08-15T18:43:16Z
- Modified
- 2025-09-26T17:19:17Z
- Severity
-
- 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N CVSS Calculator
- Summary
- Template Secret leakage in logs in Scaffolder when using `fetch:template`
- Details
-
A logging flaw in Backstage Scaffolder’s
fetch:templateaction up to@backstage/plugin-scaffolder-backend2.1.0 may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the{{ secrets }}bag could appear in local/server logs when the action ran. Exploitation requires use of thesecretsargument and access to Scaffolder/build logs; integrity and availability are unaffected.- Fix: upgrade to
2.1.1, which removes the duplicate log path and ensures secrets are redacted. - Mitigation: avoid passing
{{ secrets }}tofetch:templateif upgrade is not possible.
Open an issue in the Backstage repository
Visit our Discord, linked to in Backstage README
- Fix: upgrade to
- Database specific
{ "nvd_published_at": "2025-08-15T18:15:27Z", "severity": "LOW", "cwe_ids": [ "CWE-532" ], "github_reviewed": true, "github_reviewed_at": "2025-08-15T18:43:16Z" }- References
Affected packages
npm / @backstage/plugin-scaffolder-backend
Package
- Name
- @backstage/plugin-scaffolder-backend
- View open source insights on deps.dev
- Purl
- pkg:npm/%40backstage/plugin-scaffolder-backend