Skip to content

Mounted Kubernetes Secrets under a predictable path located within the web server document root

Critical
carrodher published GHSA-wgg9-9qgw-529w Jul 23, 2025

Package

helm bitnamicharts/appsmith (Helm)

Affected versions

≥ 5.2.0

Patched versions

6.0.19
helm bitnamicharts/drupal (Helm)
≥ 21.2.0
22.0.4
helm bitnamicharts/wordpress (Helm)
≥ 24.2.0
25.0.4

Description

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root.
In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.

Affected versions

  • bitnami/wordpress: ≥ 24.2.0, < 25.0.4
  • bitnami/appsmith: ≥ 5.2.0, < 6.0.19
  • bitnami/drupal: ≥ 21.2.0, < 22.0.4

Impact

Remote attackers can retrieve secrets via predictable URL paths if the application is exposed externally.

Mitigation

Upgrade to the first unaffected version of each chart.
As a workaround, upgrade the Helm chart deployment using usePasswordFiles=false to use environment variables instead of mounting secrets as files, which prevents them from being served via the web root. Alternatively, apply web server or ingress rules to restrict access to the secrets path.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2025-41240

Weaknesses

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Learn more on MITRE.

Credits