CVE-2019-25210 – helm.sh/helm/v3

Package

Manager: go
Name: helm.sh/helm/v3
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00173 pctl0.39048

Details

Withdrawn Advisory: Helm shows secrets in clear text ### Withdrawn Advisory This advisory has been withdrawn because the issue describes intended behavior and the output is not exposed to unauthorized users. This link has been maintained to preserve external references. ### Original Description An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).

Metadata

Created: 2024-03-03T21:31:25Z
Modified: 2025-06-19T14:29:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-jw44-4f3j-q396/GHSA-jw44-4f3j-q396.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-jw44-4f3j-q396
Finding: F308
Auto approve: 1