CVE-2025-41240
Published: 24 July 2025
Summary
CVE-2025-41240 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2025-41240 is a critical exposure vulnerability affecting three Bitnami Helm charts that mount Kubernetes Secrets at the predictable filesystem path /opt/bitnami/*/secrets inside the web server document root. The flaw occurs when the default setting usePasswordFiles=true is enabled, causing the secrets to be written as files accessible via HTTP or HTTPS requests. This configuration affects containerized deployments that expose the application externally.
A remote unauthenticated attacker can exploit the issue by directly requesting specific URLs under the document root to retrieve sensitive credentials such as passwords or keys. Because the path is predictable and no authentication is required, successful exploitation grants full access to the mounted secrets, potentially allowing complete compromise of the affected application and its connected services.
The referenced GitHub Security Advisory GHSA-wgg9-9qgw-529w provides details on the affected charts and remediation steps. The EPSS score has remained flat at 0.0132 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22486
Vulnerability details
Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve…
more
these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes Kubernetes Secrets as predictable, HTTP-accessible files in the document root of a public-facing web application, directly enabling remote exploitation of the exposed service (T1190) and retrieval of unsecured credentials from files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations and minimal information transfer for publicly accessible interfaces like web servers, directly preventing unauthenticated HTTP access to mounted Kubernetes Secrets in the document root.
Restricts access to publicly accessible content, mitigating exposure of sensitive credentials via predictable paths in the web server document root.
Establishes and enforces secure configuration settings, such as disabling usePasswordFiles=true in Bitnami Helm charts, to prevent mounting Secrets in web-accessible paths.