CVE-2025-55285: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2025-55285) affects the @backstage/plugin-scaffolder-backend, which is the backend for the default Backstage software templates. The issue was discovered and disclosed on August 15, 2025, affecting versions prior to 2.1.1. The vulnerability involves duplicate logging of input values in the fetch:template action, which resulted in improper redaction of secrets (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 2.6 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N. The issue stems from the BackstageLoggerTransport class where duplicate logging of input values in the fetch:template action caused secrets to be improperly redacted. The vulnerability is specifically related to CWE-532 (Insertion of Sensitive Information into Log File) (GitHub Advisory, Miggo).

The impact of this vulnerability is limited to scenarios where ${{ secrets.x }} is passed through to fetch:template. When exploited, it could lead to the exposure of sensitive information in log files. The vulnerability only affects the confidentiality aspect of the system, with no impact on integrity or availability (GitHub Advisory).

The vulnerability has been patched in version 2.1.1 of the scaffolder-backend plugin. As a workaround, Template Authors can remove the use of ${{ secrets }} being used as an argument to fetch:template. The fix involves removing the logging of splat values in the logger, as evidenced by the patch (GitHub Advisory, GitHub Commit).