Skip to content

Update dependency @backstage/plugin-scaffolder-backend to v3 [SECURITY]#201

Open
alithya-oss-backstage-ci[bot] wants to merge 1 commit intomainfrom
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability
Open

Update dependency @backstage/plugin-scaffolder-backend to v3 [SECURITY]#201
alithya-oss-backstage-ci[bot] wants to merge 1 commit intomainfrom
renovate/npm-backstage-plugin-scaffolder-backend-vulnerability

Conversation

@alithya-oss-backstage-ci
Copy link
Copy Markdown
Contributor

@alithya-oss-backstage-ci alithya-oss-backstage-ci bot commented Mar 31, 2026

This PR contains the following updates:

Package Change Age Confidence
@backstage/plugin-scaffolder-backend (source) ^1.33.0^3.0.0 age confidence

Template Secret leakage in logs in Scaffolder when using fetch:template

CVE-2025-55285 / GHSA-3x3q-ghcp-whf7

More information

Details

A logging flaw in Backstage Scaffolder’s fetch:template action up to @backstage/plugin-scaffolder-backend 2.1.0 may write template secrets to logs. The action emitted a duplicate, pre-redaction copy of input parameters, so values provided via the `` bag could appear in local/server logs when the action ran. Exploitation requires use of the secrets argument and access to Scaffolder/build logs; integrity and availability are unaffected.

  • Fix: upgrade to 2.1.1, which removes the duplicate log path and ensures secrets are redacted.
  • Mitigation: avoid passing `` to fetch:template if upgrade is not possible.

Open an issue in the Backstage repository

Visit our Discord, linked to in Backstage README

Severity

  • CVSS Score: 2.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

CVE-2026-24046 / GHSA-rq6q-wr2q-7pgp

More information

Details

Impact

Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to:

  1. Read arbitrary files via the debug:log action by creating a symlink pointing to sensitive files (e.g., /etc/passwd, configuration files, secrets)
  2. Delete arbitrary files via the fs:delete action by creating symlinks pointing outside the workspace
  3. Write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks

This affects any Backstage deployment where users can create or execute Scaffolder templates.

Patches

This vulnerability is fixed in the following package versions:

  • @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, 0.15.0
  • @backstage/plugin-scaffolder-backend version 2.2.2, 3.0.2, 3.1.1
  • @backstage/plugin-scaffolder-node version 0.11.2, 0.12.3

Users should upgrade to these versions or later.

Workarounds
  • Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates
  • Restrict who can create and execute Scaffolder templates using the permissions framework
  • Audit existing templates for symlink usage
  • Run Backstage in a containerized environment with limited filesystem access
References

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

@​backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass

CVE-2026-29184 / GHSA-8qp7-fhr9-fw53

More information

Details

Impact

A malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs.

The attack requires:

  • The ability to register a template in the catalog
  • A victim who executes the malicious template
Patches

Patched in @backstage/plugin-scaffolder-backend version 3.1.4

Workarounds
  • Implement a custom permission policy that restricts scaffolder.task.read so users can only read their own task logs
  • Restrict who can register templates in the catalog to trusted users only
Resources

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

backstage/backstage (@​backstage/plugin-scaffolder-backend)

v3.1.4

Compare Source

Patch Changes

v3.1.3

Compare Source

Patch Changes

v3.1.2

Compare Source

Patch Changes

v3.1.1

Compare Source

Patch Changes

v3.1.0

Compare Source

Minor Changes
  • a4cd405: Add defaultEnvironment config to scaffolder to enable more flexible and custom templates. Now it's possible enable access to default parameters and secrets in templates, improving security and reducing complexity.
Patch Changes

v3.0.2

Compare Source

v3.0.1

Compare Source

Patch Changes

v3.0.0

Compare Source

Major Changes

  • 9b81a90: BREAKING - Removing the deprecated types and interfaces, there's no replacement for these types, and hopefully not currently used as they offer no value with the plugin being on the new backend system and no way to consume them.

    Affected types: CreateWorkerOptions, CurrentClaimedTask, DatabaseTaskStore, DatabaseTaskStoreOptions, TaskManager, TaskStore, TaskStoreCreateTaskOptions, TaskStoreCreateTaskResult, TaskStoreEmitOptions, TaskStoreListEventsOptions, TaskStoreRecoverTaskOptions, TaskStoreShutDownTaskOptions, TaskWorker and TemplateActionRegistry.

Patch Changes

v2.2.2

Compare Source

v2.2.1

Compare Source

Patch Changes

v2.2.0

Compare Source

Minor Changes
  • c08cbc4: Move Scaffolder API to OpenAPI
  • 2032660: Fixed fs:readdir action example
  • 11dc90f: Implement max length for scaffolder auditor audit logging with default of 256
  • 812485c: Add step info to scaffolder action context to access the step id and name.
Patch Changes

v2.1.1

Compare Source

v2.1.0

Compare Source

Minor Changes

  • c1ce316: BREAKING /alpha: Converted scaffolder.task.read and scaffolder.task.cancel into Resource Permissions.

    BREAKING /alpha: Added a new scaffolder rule isTaskOwner for scaffolder.task.read and scaffolder.task.cancel to allow for conditional permission policies such as restricting access to tasks and task events based on task creators.

    BREAKING /alpha: Retrying a task now requires both scaffolder.task.read and scaffolder.task.create permissions, replacing the previous requirement of scaffolder.task.read and scaffolder.task.cancel.

Patch Changes

v2.0.0

Compare Source

Major Changes

  • 33394db: BREAKING CHANGES

    Removal of deprecated re-exports from module packages.

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • createPublishAzureAction should be imported from @backstage/plugin-scaffolder-backend-module-azure instead.

    • createPublishBitbucketCloudAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-cloud instead.

    • createPublishBitbucketServerAction and createPublishBitbucketServerPullRequestAction can be imported from @backstage/plugin-scaffolder-backend-module-bitbucket-server instead.

    • createPublishBitbucketAction should be imported from @backstage/plugin-scaffolder-backend-module-bitbucket instead.

    • createPublishGerritAction and createPublishGerritReviewAction can be imported from @backstage/plugin-scaffolder-backend-module-gerrit instead.

    • createGithubActionsDispatchAction, createGithubDeployKeyAction, createGithubEnvironmentAction, createGithubIssuesLabelAction, CreateGithubPullRequestActionOptions, createGithubRepoCreateAction, createGithubRepoPushAction, createGithubWebhookAction, and createPublishGithubAction can be imported from @backstage/plugin-scaffolder-backend-module-github instead.

    • createPublishGitlabAction should be imported from @backstage/plugin-scaffolder-backend-module-gitlab instead.

    • ActionContext. createTemplateAction, executeShellCommand, ExecuteShellCommandOptions, fetchContents, TaskSecrets, and TemplateAction should be imported from @backstage/plugin-scaffolder-node instead.

    • ScaffolderEntitiesProcessor should be imported from @backstage/plugin-catalog-backend-module-scaffolder-entity-model instead.

  • a8fcf04: BREAKING ALPHA: The /alpha export no longer exports the plugin. Please use import('@​backstage/plugin-scaffolder-backend') instead as this has been removed.

    BREAKING CHANGES: The old createRouter function which was used in the old backend system has been removed along with the RouterOptions type.

  • 73b94d7: BREAKING CHANGES

    The following functions have been re-exported from the scaffolder-backend plugin for quite some time, and now it's time to clean them up. They've been moved as follows:

    • SerializedTask, SerializedTaskEvent, TaskBroker, TaskBrokerDispatchOptions, TaskBrokerDispatchResult, TaskCompletionState, TaskContext, TaskEventType, TaskStatus, TemplateFilter, and TemplateGlobal should be imported from @backstage/plugin-scaffolder-node instead.

    • The deprecated copyWithoutRender option has been removed from fetch:template action. You should rename the option to copyWithoutTemplating instead.

  • 5863b04: BREAKING CHANGES

    • The createBuiltinActions method has been removed, as this should no longer be needed with the new backend system route, and was only useful when passing the default list of actions again in the old backend system. You should be able to rely on the default behaviour of the new backend system which is to merge the actions.

    • The createCatalogRegisterAction and createFetchCatalogEntityAction actions no longer require an AuthService, and now accepts a CatalogService instead of CatalogClient.

    Unless you're providing your own override action to the default, this should be a non-breaking change.

    You can migrate using the following if you're getting typescript errors:

    import { catalogServiceRef } from '@​backstage/plugin-catalog-node';
import { scaffolderActionsExtensionPoint } from '@​backstage/plugin-scaffolder-node/alpha';

export const myModule = createBackendModule({
  pluginId: 'scaffolder',
  moduleId: 'test',
  register({ registerInit }) {
    registerInit({
      deps: {
        scaffolder: scaffolderActionsExtensionPoint,
        catalog: catalogServiceRef,
      },
      async init({ scaffolder, catalog }) {
        scaffolder.addActions(
          createCatalogRegisterAction({
            catalog,
          }),
          createFetchCatalogEntityAction({
            catalog,
            integrations,
          }),
        );
      },
    });
  },
});
Minor Changes

  • 73b94d7: DEPRECATIONS

    The following types and implementations have been deprecated, either because they're no longer relevant, or because upcoming changes to the scaffolder-backend after 2.0.0 will influence the changes to these API surfaces.

    • CreateWorkerOptions
    • DatabaseTaskStore
    • DatabaseTaskStoreOptions
    • TaskManager
    • TaskStoreCreateTaskOptions
    • TaskStoreCreateTaskResult
    • TaskStoreEmitOptions
    • TaskStoreListEventsOptions
    • TaskStoreRecoverTaskOptions
    • TaskStoreShutDownTaskOptions

    There is no current path off deprecation, these types are going to be removed and rethought with a better way to define workers in the new backend system.

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@alithya-oss-backstage-ci
Update dependency @backstage/plugin-scaffolder-backend to v3 [SECURITY]
9d16645 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@alithya-oss-backstage-ci alithya-oss-backstage-ci bot added dependencies Pull requests that update a dependency file security labels Mar 31, 2026
@alithya-oss-backstage-ci
Copy link
Copy Markdown
Contributor Author

alithya-oss-backstage-ci bot commented Mar 31, 2026

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

  • @alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name Package Path Changeset Bump Current Version
backend workspaces/aws/packages/backend none v0.0.6
@alithya-oss/backstage-plugin-scaffolder-backend-module-aws-apps workspaces/aws/plugins/scaffolder-backend-module-aws-apps none v0.3.12

@alithya-oss-backstage-ci
Copy link
Copy Markdown
Contributor Author

alithya-oss-backstage-ci bot commented Mar 31, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fjudith fjudith Awaiting requested review from fjudith fjudith is a code owner

@nizarajroud nizarajroud Awaiting requested review from nizarajroud nizarajroud is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants