Moderate severityNVD Advisory· Published Mar 3, 2024· Updated Sep 4, 2024
CVE-2019-25210
CVE-2019-25210
Description
An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values). Also, it is not the Helm Project's responsibility if a user decides to use --dry-run within a CI/CD environment whose output is visible to unauthorized persons.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Helm --dry-run outputs Kubernetes Secret values in plaintext, exposing sensitive data when CI/CD logs are visible to unauthorized parties.
The vulnerability in Helm through version 3.13.3 concerns the --dry-run flag used with helm install and helm upgrade. When these commands are executed with --dry-run, Helm generates and displays all chart manifests that would be sent to the Kubernetes API, including Kubernetes Secrets. The Secret values are rendered in plaintext as part of the manifest output, rather than being summarized or omitted [1][2][4]. This behavior was intentionally introduced in Helm 3, where Secrets are treated like any other Kubernetes manifest resource [2].
Exploitation occurs in environments where the output of a --dry-run execution is captured and visible to unauthorized individuals. For example, in CI/CD pipelines, the tool may log the entire --dry-run output to a build log accessible by multiple team members or external actors. An attacker with access to such logs can read the plaintext secret values. No special privileges are required beyond access to the logged output; the attack vector is the exposure of the generated manifests to an unintended audience [1][2][4].
The impact is the unauthorized disclosure of sensitive information contained in Kubernetes Secrets. This can include API keys, database passwords, certificates, or any other data stored as a Secret. Depending on the secrets exposed, an attacker could compromise connected services, gain elevated access, or pivot to further attacks within the Kubernetes cluster or external systems [2][4].
As of the publication of this CVE, the Helm project has rejected the classification of this behavior as a vulnerability. The maintainers state that the --dry-run functionality is intentionally designed to show all rendered manifests, including Secrets, and that removing this would break backward compatibility for users who depend on seeing these values during debugging [2]. The vendor recommends that users avoid using --dry-run in environments where the output may be exposed to unauthorized parties, or to implement measures to secure the output channel [2].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
helm.sh/helm/v3Go | >= 3.0.0, <= 3.14.2 | — |
Affected products
221- Cloud Native Computing Foundation/Helmdescription
- osv-coords220 versionspkg:apk/chainguard/cert-manager-1.11pkg:apk/chainguard/cert-manager-1.11-acmesolverpkg:apk/chainguard/cert-manager-1.11-cainjectorpkg:apk/chainguard/cert-manager-1.11-controllerpkg:apk/chainguard/cert-manager-1.11-webhookpkg:apk/chainguard/cert-manager-1.12pkg:apk/chainguard/cert-manager-1.12-acmesolverpkg:apk/chainguard/cert-manager-1.12-cainjectorpkg:apk/chainguard/cert-manager-1.12-controllerpkg:apk/chainguard/cert-manager-1.12-webhookpkg:apk/chainguard/cert-manager-1.13pkg:apk/chainguard/cert-manager-1.13-acmesolverpkg:apk/chainguard/cert-manager-1.13-cainjectorpkg:apk/chainguard/cert-manager-1.13-controllerpkg:apk/chainguard/cert-manager-1.13-webhookpkg:apk/chainguard/cert-manager-1.14pkg:apk/chainguard/cert-manager-1.14-acmesolverpkg:apk/chainguard/cert-manager-1.14-cainjectorpkg:apk/chainguard/cert-manager-1.14-controllerpkg:apk/chainguard/cert-manager-1.14-startupapicheckpkg:apk/chainguard/cert-manager-1.14-webhookpkg:apk/chainguard/cert-manager-acmesolver-1.12pkg:apk/chainguard/cert-manager-acmesolver-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-acmesolver-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-acmesolver-fips-1.12pkg:apk/chainguard/cert-manager-cainjector-1.12pkg:apk/chainguard/cert-manager-cainjector-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-cainjector-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-cainjector-fips-1.12pkg:apk/chainguard/cert-manager-controller-1.12pkg:apk/chainguard/cert-manager-controller-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-controller-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-controller-fips-1.12pkg:apk/chainguard/cert-manager-fips-1.12pkg:apk/chainguard/cert-manager-fips-1.12-acmesolverpkg:apk/chainguard/cert-manager-fips-1.12-cainjectorpkg:apk/chainguard/cert-manager-fips-1.12-cmctlpkg:apk/chainguard/cert-manager-fips-1.12-controllerpkg:apk/chainguard/cert-manager-fips-1.12-webhookpkg:apk/chainguard/cert-manager-fips-1.13pkg:apk/chainguard/cert-manager-fips-1.13-acmesolverpkg:apk/chainguard/cert-manager-fips-1.13-cainjectorpkg:apk/chainguard/cert-manager-fips-1.13-cmctlpkg:apk/chainguard/cert-manager-fips-1.13-controllerpkg:apk/chainguard/cert-manager-fips-1.13-webhookpkg:apk/chainguard/cert-manager-fips-1.14pkg:apk/chainguard/cert-manager-fips-1.14-acmesolverpkg:apk/chainguard/cert-manager-fips-1.14-cainjectorpkg:apk/chainguard/cert-manager-fips-1.14-cmctlpkg:apk/chainguard/cert-manager-fips-1.14-controllerpkg:apk/chainguard/cert-manager-fips-1.14-startupapicheckpkg:apk/chainguard/cert-manager-fips-1.14-webhookpkg:apk/chainguard/cert-manager-webhook-1.12pkg:apk/chainguard/cert-manager-webhook-1.12-bitnami-compatpkg:apk/chainguard/cert-manager-webhook-1.12-iamguarded-compatpkg:apk/chainguard/cert-manager-webhook-fips-1.12pkg:apk/chainguard/chartmuseumpkg:apk/chainguard/cilium-clipkg:apk/chainguard/cmctl-1.11pkg:apk/chainguard/cmctl-1.12pkg:apk/chainguard/cmctl-1.12-fipspkg:apk/chainguard/cmctl-1.13pkg:apk/chainguard/cmctl-1.13-fipspkg:apk/chainguard/cmctl-1.14pkg:apk/chainguard/cmctl-1.14-fipspkg:apk/chainguard/cmctl-fips-1.12pkg:apk/chainguard/eksctlpkg:apk/chainguard/fluxcd-source-controller-bitnami-compatpkg:apk/chainguard/flux-helm-controllerpkg:apk/chainguard/flux-helm-controller-0pkg:apk/chainguard/flux-helm-controller-0.37pkg:apk/chainguard/flux-helm-controller-bitnami-compatpkg:apk/chainguard/flux-helm-controller-iamguarded-compatpkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-0pkg:apk/chainguard/flux-source-controller-0.37pkg:apk/chainguard/flux-source-controller-bitnami-compatpkg:apk/chainguard/flux-source-controller-iamguarded-compatpkg:apk/chainguard/helmpkg:apk/chainguard/helm-3pkg:apk/chainguard/helm-4pkg:apk/chainguard/helm-fips-3pkg:apk/chainguard/helm-fips-4pkg:apk/chainguard/helm-operatorpkg:apk/chainguard/helm-operator-compatpkg:apk/chainguard/helm-operator-fipspkg:apk/chainguard/helm-operator-fips-compatpkg:apk/chainguard/helm-pushpkg:apk/chainguard/istio-cni-fips-1.20pkg:apk/chainguard/istio-cni-fips-1.20-compatpkg:apk/chainguard/istio-cni-fips-1.21pkg:apk/chainguard/istio-cni-fips-1.21-compatpkg:apk/chainguard/istio-fips-1.20pkg:apk/chainguard/istio-fips-1.21pkg:apk/chainguard/istio-install-cni-fips-1.20pkg:apk/chainguard/istio-install-cni-fips-1.20-compatpkg:apk/chainguard/istio-install-cni-fips-1.21pkg:apk/chainguard/istio-install-cni-fips-1.21-compatpkg:apk/chainguard/istio-operator-1.19pkg:apk/chainguard/istio-operator-1.20pkg:apk/chainguard/istio-operator-1.21pkg:apk/chainguard/istio-operator-fips-1.19pkg:apk/chainguard/istio-operator-fips-1.20pkg:apk/chainguard/istio-operator-fips-1.21pkg:apk/chainguard/istio-pilot-agent-1.18pkg:apk/chainguard/istio-pilot-agent-1.18-compatpkg:apk/chainguard/istio-pilot-agent-fips-1.20pkg:apk/chainguard/istio-pilot-agent-fips-1.20-compatpkg:apk/chainguard/istio-pilot-agent-fips-1.21pkg:apk/chainguard/istio-pilot-agent-fips-1.21-compatpkg:apk/chainguard/istio-pilot-discovery-1.18pkg:apk/chainguard/istio-pilot-discovery-1.18-compatpkg:apk/chainguard/istio-pilot-discovery-fips-1.20pkg:apk/chainguard/istio-pilot-discovery-fips-1.21pkg:apk/chainguard/k8sgptpkg:apk/chainguard/k9spkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kubescapepkg:apk/chainguard/kubevelapkg:apk/chainguard/kubevela-vela-clipkg:apk/chainguard/kubevela-vela-corepkg:apk/chainguard/kubevela-vela-core-compatpkg:apk/chainguard/kuma-2.4pkg:apk/chainguard/kuma-2.5pkg:apk/chainguard/kuma-2.6pkg:apk/chainguard/kuma-cni-2.4pkg:apk/chainguard/kuma-cni-2.5pkg:apk/chainguard/kuma-cni-2.6pkg:apk/chainguard/kuma-cni-compat-2.4pkg:apk/chainguard/kuma-cni-compat-2.5pkg:apk/chainguard/kuma-cni-compat-2.6pkg:apk/chainguard/kuma-cp-2.4pkg:apk/chainguard/kuma-cp-2.5pkg:apk/chainguard/kuma-cp-2.6pkg:apk/chainguard/kumactl-2.4pkg:apk/chainguard/kumactl-2.5pkg:apk/chainguard/kumactl-2.6pkg:apk/chainguard/kuma-dp-2.4pkg:apk/chainguard/kuma-dp-2.5pkg:apk/chainguard/kuma-dp-2.6pkg:apk/chainguard/kuma-install-cni-2.4pkg:apk/chainguard/kuma-install-cni-2.5pkg:apk/chainguard/kuma-install-cni-2.6pkg:apk/chainguard/plutopkg:apk/chainguard/pluto-compatpkg:apk/chainguard/trivypkg:apk/chainguard/uppkg:apk/chainguard/vela-clipkg:apk/chainguard/vela-corepkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/cert-manager-1.11pkg:apk/wolfi/cert-manager-1.11-acmesolverpkg:apk/wolfi/cert-manager-1.11-cainjectorpkg:apk/wolfi/cert-manager-1.11-controllerpkg:apk/wolfi/cert-manager-1.11-webhookpkg:apk/wolfi/cert-manager-1.12pkg:apk/wolfi/cert-manager-1.12-acmesolverpkg:apk/wolfi/cert-manager-1.12-cainjectorpkg:apk/wolfi/cert-manager-1.12-controllerpkg:apk/wolfi/cert-manager-1.12-webhookpkg:apk/wolfi/cert-manager-1.13pkg:apk/wolfi/cert-manager-1.13-acmesolverpkg:apk/wolfi/cert-manager-1.13-cainjectorpkg:apk/wolfi/cert-manager-1.13-controllerpkg:apk/wolfi/cert-manager-1.13-webhookpkg:apk/wolfi/cert-manager-1.14pkg:apk/wolfi/cert-manager-1.14-acmesolverpkg:apk/wolfi/cert-manager-1.14-cainjectorpkg:apk/wolfi/cert-manager-1.14-controllerpkg:apk/wolfi/cert-manager-1.14-startupapicheckpkg:apk/wolfi/cert-manager-1.14-webhookpkg:apk/wolfi/chartmuseumpkg:apk/wolfi/cilium-clipkg:apk/wolfi/cmctl-1.11pkg:apk/wolfi/cmctl-1.12pkg:apk/wolfi/cmctl-1.13pkg:apk/wolfi/cmctl-1.14pkg:apk/wolfi/eksctlpkg:apk/wolfi/fluxcd-source-controller-bitnami-compatpkg:apk/wolfi/flux-helm-controllerpkg:apk/wolfi/flux-helm-controller-bitnami-compatpkg:apk/wolfi/flux-helm-controller-iamguarded-compatpkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/flux-source-controller-bitnami-compatpkg:apk/wolfi/flux-source-controller-iamguarded-compatpkg:apk/wolfi/helmpkg:apk/wolfi/helm-3pkg:apk/wolfi/helm-4pkg:apk/wolfi/helm-operatorpkg:apk/wolfi/helm-operator-compatpkg:apk/wolfi/helm-pushpkg:apk/wolfi/istio-operator-1.19pkg:apk/wolfi/istio-operator-1.20pkg:apk/wolfi/istio-operator-1.21pkg:apk/wolfi/istio-pilot-agent-1.18pkg:apk/wolfi/istio-pilot-agent-1.18-compatpkg:apk/wolfi/istio-pilot-discovery-1.18pkg:apk/wolfi/istio-pilot-discovery-1.18-compatpkg:apk/wolfi/k8sgptpkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kubescapepkg:apk/wolfi/kubevelapkg:apk/wolfi/kubevela-vela-clipkg:apk/wolfi/kubevela-vela-corepkg:apk/wolfi/kubevela-vela-core-compatpkg:apk/wolfi/plutopkg:apk/wolfi/pluto-compatpkg:apk/wolfi/trivypkg:apk/wolfi/uppkg:apk/wolfi/vela-clipkg:apk/wolfi/vela-corepkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/helm.sh/helm/v3
< 0+ 219 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.12.17-r10
- (no CPE)range: < 0
- (no CPE)range: < 1.12.17-r10
- (no CPE)range: < 0
- (no CPE)range: < 1.12.17-r10
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.12.17-r10
- (no CPE)range: < 0
- (no CPE)range: < 1.12.17-r10
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.12.17-r10
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.16.2-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.21.3-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.32.4-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.16.2-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.32.4-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 3.0.0, <= 3.14.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7News mentions
0No linked articles in our index yet.