Input Logging Issue in Backstage Plugin by Spotify
CVE-2025-55285

2.6LOW

Key Information:

Vendor: Backstage
Status: Backstage
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-55285?

The Backstage Plugin Scaffolder Backend, which supports software template management for Backstage, has a vulnerability due to improper input logging. In versions before 2.1.1, the fetch:template action may log input values, leading to inadequate redaction of sensitive information like secrets. When ${{ secrets.x }} is not utilized in the fetch:template call, the risk of exposure is mitigated. For secure implementation, Template Authors should avoid using ${{ secrets }} as a parameter with fetch:template. An update to version 2.1.1 addresses this issue.

Affected Version(s)

backstage < 2.1.1

References

https://github.com/backstage/backstage/security/advisorie...

x_refsource_CONFIRM

https://github.com/backstage/backstage/commit/c371f6fe123...

x_refsource_MISC

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Aug 12, 2025