Helm local code execution via a malicious chart – CVE-2025-53547
10 months ago
- #Vulnerability
- #Helm
- #Security
- A Helm contributor discovered a vulnerability where a specially crafted Chart.yaml and Chart.lock file can lead to local code execution during dependency updates.
- The vulnerability involves symlinked Chart.lock files, which, when updated, can write malicious content to executable files like bash.rc or shell scripts.
- This issue affects Helm when running commands like 'helm dependency update' or when the Helm SDK's downloader Manager performs an update.
- The vulnerability has been patched in Helm v3.18.4.
- A workaround is to ensure the Chart.lock file is not a symlink before updating dependencies.
- The security issue was disclosed by Jakub Ciolek at AlphaSense.