CVE-2025-14269

CVSS v2.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Headlamp versions prior to 0.39.0

Description A configuration issue with

config.enableHelm: true

in the Headlamp user interface for Kubernetes cluster management leads to information disclosure through caching when processing the

/clusters/main/helm/releases/list

directory. Exploitation may allow a remote attacker to gain unauthorized access to protected information by sending a specially crafted request. The issue involves credential caching and can impact private Kubernetes clusters if Headlamp is running in-cluster with Helm enabled and an authorized user has accessed Helm previously. Unauthenticated users may be able to access Helm. Network access to the Headlamp UI is required for exploitation, and it involves cached credentials via Helm endpoints, potentially requiring user interaction.

Recommendations Upgrade to Headlamp version 0.39.0 or later. Avoid public exposure of Headlamp via ingress.

Exploit

Fix

Insufficiently Protected Credentials

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-200CWE-524

Related Identifiers

BDU:2025-16348

CVE-2025-14269

Affected Products

Headlamp

CVE-2025-14269

Weakness Enumeration

Related Identifiers

Affected Products

References · 12