CVE-2025-41240 | Three Bitnami Helm charts mount Kubernetes Secrets under a p… | CVSS 10.0 CRITICAL

Description

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.

Metadata

CVE ID: CVE-2025-41240
State: PUBLISHED
Assigner: vmware
Reserved: 2025-04-16 09:30 UTC
Published: 2025-07-24 06:42 UTC
Last updated: 2026-02-26 17:50 UTC
Primary CWE: CWE-552
CWE-552 Files or Directories Accessible to External Parties
Vendor / Product: VMware / bitnamicharts/appsmith
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (3)

Vendor	Product	Platform	Versions
VMware	bitnamicharts/appsmith	—	21.2.0 ≤ 22.0.4
VMware	bitnamicharts/drupal	—	5.2.0 < 6.0.19
VMware	bitnamicharts/wordpress	—	24.2.0 < 25.0.4

Weakness (CWE)

CWE	Source	Description
CWE-552	adp	CWE-552 Files or Directories Accessible to External Parties

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w