Data Exposure in Onyxia-API for Kubernetes by Insee Fr Lab
CVE-2025-58366

9.4CRITICAL

Key Information:

Vendor: Inseefrlab
Status: Onyxia
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-58366?

In Onyxia-API versions 4.6.0 through 4.8.0, a significant vulnerability was identified that allows the leakage of credentials for private helm repositories through the publicly accessible /public/catalogs endpoint. This issue is particularly critical for deployments utilizing private helm repositories, where sensitive configurations inadvertently become exposed to unauthorized users. Users are encouraged to update to version 4.9.0 or above to mitigate this risk effectively.

Affected Version(s)

onyxia >= 4.6.0, < 4.9.0

References

https://github.com/InseeFrLab/onyxia/security/advisories/...

x_refsource_CONFIRM

https://github.com/InseeFrLab/onyxia-api/pull/613

x_refsource_MISC

https://github.com/InseeFrLab/onyxia-api/releases/tag/v4.9.0

x_refsource_MISC

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Aug 29, 2025

Inseefrlab

What is CVE-2025-58366?

Affected Version(s)

References

CVSS V4

Timeline