2.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-55285

GHSA ID

GHSA-3x3q-ghcp-whf7

EPSS Score

CWE

CWE-532

Published

8/15/2025

Updated

8/15/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-55285

CVE-2025-55285: Template Secret leakage in logs in Scaffolder when using `fetch:template`

Impact

Duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through ${{ secrets.x }} to fetch:template there is no impact.

Patches

This issue has been resolved in 2.1.1 of the scaffolder-backend plugin.

Workarounds

Template Authors can remove the use of ${{ secrets }} being used as an argument to fetch:template.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README

(GitHub Advisory)

2.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-55285

GHSA ID

GHSA-3x3q-ghcp-whf7

EPSS Score

CWE

CWE-532

Published

8/15/2025

Updated

8/15/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@backstage/plugin-scaffolder-backend	npm	<= 2.1.0	2.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a secret leakage issue in the logging mechanism of the Scaffolder backend plugin in Backstage. The root cause is the log method in the BackstageLoggerTransport class, which was logging extra parameters (splat) that could contain secrets. The provided patch c371f6fe12371de31dca537510e6653e287cdc2e directly addresses this by removing the logging of the splat parameter. Therefore, the BackstageLoggerTransport.log function is the vulnerable function. During exploitation, any action that triggers logging through this transport with secrets in the parameters would cause this function to appear in a profiler's stack trace, and the logs would contain the leaked secrets. The fix prevents this by only logging the main message and not the additional, potentially sensitive, data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *upli**t* lo**in* o* t** input v*lu*s in t** `**t**:t*mpl*t*` **tion in t** S****ol**r m**nt t**t som* o* t** s**r*ts w*r* not prop*rly r****t**. I* you'r* not p*ssin* t*rou** `${{ s**r*ts.x }}` to `**t**:t*mpl*t*` t**r* is no imp**t. ###

Reasoning

T** vuln*r**ility is * s**r*t l**k*** issu* in t** lo**in* m****nism o* t** S****ol**r ***k*n* plu*in in ***kst***. T** root **us* is t** `lo*` m*t*o* in t** `***kst***Lo***rTr*nsport` *l*ss, w*i** w*s lo**in* *xtr* p*r*m*t*rs (`spl*t`) t**t *oul* *o

2.6

Basic Information

Concerned about an active attack path?

CVE-2025-55285: Template Secret leakage in logs in Scaffolder when using `fetch:template`

Impact

Patches

Workarounds

References

2.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI