GHSA-3x3q-ghcp-whf7

Source

https://github.com/advisories/GHSA-3x3q-ghcp-whf7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-3x3q-ghcp-whf7/GHSA-3x3q-ghcp-whf7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3x3q-ghcp-whf7

Aliases

CVE-2025-55285

Published

2025-08-15T18:43:16Z

Modified

2025-08-15T19:14:45.419052Z

Severity

2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Template Secret leakage in logs in Scaffolder when using `fetch:template`

Details

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through ${{ secrets.x }} to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of ${{ secrets }} being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README

Database specific

{
    "severity": "LOW",
    "cwe_ids": [
        "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-15T18:43:16Z",
    "nvd_published_at": "2025-08-15T18:15:27Z"
}

References

Affected packages

npm / @backstage/plugin-scaffolder-backend

Package

Name: @backstage/plugin-scaffolder-backend; View open source insights on deps.dev
Purl: pkg:npm/%40backstage/plugin-scaffolder-backend

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.1

Database specific

{
    "last_known_affected_version_range": "<= 2.1.0"
}