This advisory has been withdrawn because the issue describes intended behavior and the output is not exposed to unauthorized users. This link has been maintained to preserve external references.

### Original Description

An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).

Affected Packages

Go helm.sh/helm/v3

Affected versions: 3.0.0 (last affected: 3.14.2)

Related CVEs

CVE-2019-25210

Key Information

GHSA ID

GHSA-jw44-4f3j-q396

Published

March 3, 2024 9:31 PM

Last Modified

June 19, 2025 2:29 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

helm.sh/helm/v3

GitHub Reviewed

✓ Yes

Withdrawn

June 19, 2025 2:29 PM

Dataset

Last updated: July 1, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.