Primary

Context

Backstage Scaffolder Backend Template Secret Logging Vulnerability

Vulnerability

A vulnerability exists in the Backstage Scaffolder backend plugin, specifically in versions prior to 2.1.1. The issue arises from duplicate logging of input values in the 'fetch:template' action, which led to improper redaction of some secrets. This vulnerability is only impactful if '${{ secrets.x }}' is passed to 'fetch:template'.

Impact

The vulnerability can result in the unintentional exposure of template secrets in the logs, as some secrets were not properly redacted due to duplicate logging.

Remediation

Users can upgrade to version 2.1.1 of the Backstage Scaffolder backend plugin to address this vulnerability. Alternatively, Template Authors can remove '${{ secrets }}' from being used as an argument to 'fetch:template'.

Added: Aug 15, 2025, 6:17 PM

Updated: Aug 15, 2025, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Backstage Scaffolder Backend Template Secret Logging Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating