CVE-2025-41240
Published: 24 July 2025
Summary
CVE-2025-41240 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations and minimal information transfer for publicly accessible interfaces like web servers, directly preventing unauthenticated HTTP access to mounted Kubernetes Secrets in the document root.
Restricts access to publicly accessible content, mitigating exposure of sensitive credentials via predictable paths in the web server document root.
Establishes and enforces secure configuration settings, such as disabling usePasswordFiles=true in Bitnami Helm charts, to prevent mounting Secrets in web-accessible paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes Kubernetes Secrets as predictable, HTTP-accessible files in the document root of a public-facing web application, directly enabling remote exploitation of the exposed service (T1190) and retrieval of unsecured credentials from files (T1552.001).
NVD Description
Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve…
more
these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.
Deeper analysisAI
CVE-2025-41240 is a critical vulnerability (CVSS 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting three Bitnami Helm charts for Kubernetes deployments. The issue stems from these charts mounting Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that resides within the web server document root. In affected versions using the default configuration of usePasswordFiles=true, this exposes sensitive credentials as files on the container filesystem, enabling unauthenticated access via HTTP/S by simply requesting specific URLs.
A remote attacker requires no privileges or user interaction and can exploit this over the network with low complexity if the affected application is exposed externally. Successful exploitation allows retrieval of sensitive credentials stored in the Secrets, potentially leading to full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) due to the changed scope. This aligns with CWE-552 (Files or Directories Accessible to External Parties).
The Bitnami security advisory at https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w provides details on mitigation, including patches and configuration changes to address the exposure.
Details
- CWE(s)