Critical severityOSV Advisory· Published Sep 5, 2025· Updated Apr 15, 2026

CVE-2025-58366

Description

Onyxia is a data science environment for kubernetes. In versions 4.6.0 through 4.8.0, Onyxia-API leaked the credentials of private helm repositories in the public (unauthenticated) /public/catalogs endpoint.vOnly instances using private helm repositories (i.e setting username & password in the catalogs configuration) are affected. This is fixed in version 4.9.0.

Affected products

InseeFrLab/Onyxia ApiOSV
Range: v0.1, v0.10, v0.11, …

Patches

38fe3acca6c0

Fix helm credentials (#613)

https://github.com/inseefrlab/onyxia-apiOlivier LevittSep 3, 2025via osv

commit

1 file changed · +2 −0

onyxia-api/src/main/java/fr/insee/onyxia/api/configuration/CatalogWrapper.java+2 −0 modified

@@ -93,9 +93,11 @@ public class CatalogWrapper {
     private int maxNumberOfVersions = 5;
 
     @Schema(description = "Username for basic authentication")
+    @JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
     private String username = null;
 
     @Schema(description = "Password for basic authentication")
+    @JsonProperty(access = JsonProperty.Access.WRITE_ONLY)
     private String password = null;
 
     public enum MultipleServicesMode {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000