Template Secret leakage in logs in Scaffolder when using `fetch:template`

A logging flaw in Backstage Scaffolder’s fetch:template action up to @backstage/plugin-scaffolder-backend 2.1.0 may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the {{ secrets }} bag could appear in local/server logs when the action ran. Exploitation requires use of the secrets argument and access to Scaffolder/build logs; integrity and availability are unaffected.

• Fix: upgrade to 2.1.1, which removes the duplicate log path and ensures secrets are redacted.
• Mitigation: avoid passing {{ secrets }} to fetch:template if upgrade is not possible.

Open an issue in the Backstage repository

Visit our Discord, linked to in Backstage README