Vulnerability Description
Onyxia is a data science environment for kubernetes. In versions 4.6.0 through 4.8.0, Onyxia-API leaked the credentials of private helm repositories in the public (unauthenticated) /public/catalogs endpoint.vOnly instances using private helm repositories (i.e setting username & password in the catalogs configuration) are affected. This is fixed in version 4.9.0.
Related Weaknesses (CWE)
References
- https://github.com/InseeFrLab/onyxia-api/pull/613
- https://github.com/InseeFrLab/onyxia-api/releases/tag/v4.9.0
- https://github.com/InseeFrLab/onyxia/security/advisories/GHSA-m773-6vm8-8x6q
FAQ
What is CVE-2025-58366?
CVE-2025-58366 is a documented vulnerability. Onyxia is a data science environment for kubernetes. In versions 4.6.0 through 4.8.0, Onyxia-API leaked the credentials of private helm repositories in the public (unauthenticated) /public/catalogs en...
How severe is CVE-2025-58366?
CVSS scoring is not yet available for CVE-2025-58366. Check NVD for updates.
Is there a patch for CVE-2025-58366?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.