CVE-2025-55285

Опубликовано: 15 авг. 2025

Источник: redhat

CVSS3: 2.6

Описание

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template.

A flaw has been discovered in the @backstage/plugin-scaffolder-backend npm package that can lead to an information leak. The fetch:template action in the Scaffolder improperly duplicates logging of input values, which can bypass the intended redaction of secrets. This means that an attacker with access to the logging system may be able to recover sensitive information.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
OpenShift Serverless	openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8	Fix deferred
Red Hat Developer Hub	rhdh/rhdh-hub-rhel9	Fix deferred
Red Hat Developer Hub	rhdh/rhdh-rhel9-operator	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-532

https://bugzilla.redhat.com/show_bug.cgi?id=2388819@backstage/plugin-scaffolder-backend: @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs

2.6 Low

CVSS3

Связанные уязвимости

CVE-2025-55285

CVSS3: 2.6

nvd

4 месяца назад

GHSA-3x3q-ghcp-whf7

CVSS3: 2.6

github

4 месяца назад

Template Secret leakage in logs in Scaffolder when using `fetch:template`

2.6 Low

CVSS3