CVE-2025-55285: 
JavaScript vulnerability analysis and mitigation

@backstage/plugin-scaffolder-backend, which serves as the backend for default Backstage software templates, was found to have a vulnerability related to secret leakage in logs. The issue, identified as CVE-2025-55285, was discovered and disclosed on August 15, 2025, affecting versions prior to 2.1.1. The vulnerability involves duplicate logging of input values in the fetch:template action in the Scaffolder, which resulted in some secrets not being properly redacted (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 2.6 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N. This indicates that while the vulnerability is network-accessible, it requires high attack complexity, high privileges, and user interaction. The vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File) (GitHub Advisory).

The vulnerability only impacts systems where ${{ secrets.x }} is passed through to fetch:template. When exploited, it could lead to the exposure of sensitive information in log files due to improper redaction of secrets (GitHub Advisory).

The vulnerability has been patched in version 2.1.1 of the scaffolder-backend plugin. For those unable to update immediately, a workaround is available where Template Authors can remove the use of ${{ secrets }} being used as an argument to fetch:template (GitHub Advisory).