CVE-2025-14269

Name of the Vulnerable Software and Affected Versions Headlamp versions prior to 0.39.0

Description A configuration issue with config.enableHelm: true in the Headlamp user interface for Kubernetes cluster management leads to information disclosure through caching when processing the /clusters/main/helm/releases/list directory. Exploitation may allow a remote attacker to gain unauthorized access to protected information by sending a specially crafted request. The issue involves credential caching and can impact private Kubernetes clusters if Headlamp is running in-cluster with Helm enabled and an authorized user has accessed Helm previously. Unauthenticated users may be able to access Helm. Network access to the Headlamp UI is required for exploitation, and it involves cached credentials via Helm endpoints, potentially requiring user interaction.

Recommendations Upgrade to Headlamp version 0.39.0 or later. Avoid public exposure of Headlamp via ingress.