| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 24 Jul 2025 22:28:06 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"5dfbdfbc808e139f191c8b7a288346fc"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=3szvwRvycfFs3F3pjd9yam%2B6ri1amzfmsujMKp%2FZUekfIxYEtLWGkWSNB67kgVyTdUP9q3YNVETZ78enDB3judGOyejGYBUHAjAMIPH29X8lSHyKHGOpztKIM0J%2F%2F110TitwhwJ3L1Nlfs%2BacyKTHX5wgLJmlhFP0OXo7hHj%2Bp4%2FkqwE%2BcaXBKn5nqWMty%2FXrR%2BrZi0VP2pS61V4Bkw9ODf00QQ%2FCc4wEEKWDiNPBmZ89NmKKVV5w7J0LwdAxPVw9CQVojMqI0RUPRSDKv9SAQ%3D%3D--XeWQgAEBrI%2BpmdEd--%2FPX%2FYePDAlk%2FmUs89YYWPA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.2016471355.1753396086; Path=/; Domain=github.com; Expires=Fri, 24 Jul 2026 22:28:06 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 24 Jul 2026 22:28:06 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 93B4:3F7066:21244:323AB:6882B376
Chart Dependency Updating With Malicious Chart.yaml Content And Symlink · Advisory · helm/helm · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 7.3k
Chart Dependency Updating With Malicious Chart.yaml Content And Symlink
High
Package
Affected versions
<= 3.17.3, >= 3.18.0, <= 3.18.3
Patched versions
3.18.4, 3.17.4
Description
Severity
High
/ 10
CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H
CVE ID
CVE-2025-53547
Weaknesses
Weakness CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Learn more on MITRE.Credits
-
jake-ciolek Reporter
You can’t perform that action at this time.
A Helm contributor discovered that a specially crafted
Chart.yamlfile along with a specially linkedChart.lockfile can lead to local code execution when dependencies are updated.Impact
Fields in a
Chart.yamlfile, that are carried over to aChart.lockfile when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., abash.rcfile or shell script). If theChart.lockfile is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking.This affects when dependencies are updated. When using the
helmcommand this happens whenhelm dependency updateis run.helm dependency buildcan write a lock file when one does not exist but this vector requires one to already exist. This affects the Helm SDK when the downloaderManagerperforms an update.Patches
This issue has been resolved in Helm v3.18.4
Workarounds
Ensure the
Chart.lockfile in a chart is not a symlink prior to updating dependencies.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.