Go modules package

helm.sh/helm/v3

pkg:golang/helm.sh/helm/v3

Vulnerabilities (23)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-35206	Med	4.4	< 3.20.2	3.20.2	Apr 9, 2026	Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL \| repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working di
CVE-2025-55198		—	< 3.18.5	3.18.5	Aug 13, 2025	Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatt
CVE-2025-55199		—	< 3.18.5	3.18.5	Aug 13, 2025	Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work
CVE-2025-53547		—	>= 3.18.0-rc.1, < 3.18.4	3.18.4	Jul 8, 2025	Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo
CVE-2025-32386		—	< 3.17.3	3.17.3	Apr 9, 2025	Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to
CVE-2025-32387		—	< 3.17.3	3.17.3	Apr 9, 2025	Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.1
CVE-2019-25210		—	>= 3.0.0, <= 3.14.2	—	Mar 3, 2024	An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this
CVE-2024-26147		—	< 3.14.2	3.14.2	Feb 21, 2024	Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all m
CVE-2024-25620		—	< 3.14.1	3.14.1	Feb 14, 2024	Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected direct
CVE-2023-25165		—	>= 3.0.0, < 3.11.1	3.11.1	Feb 8, 2023	Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a D
CVE-2022-23526		—	< 3.10.3	3.10.3	Dec 15, 2022	Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validati
CVE-2022-23525		—	< 3.10.3	3.10.3	Dec 15, 2022	Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds r
CVE-2022-23524		—	< 3.10.3	3.10.3	Dec 15, 2022	Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cann
CVE-2022-36055		—	< 3.9.4	3.9.4	Sep 1, 2022	Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns str
CVE-2021-32690		—	< 3.6.1	3.6.1	Jun 16, 2021	Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that H
CVE-2021-21303		—	>= 3.0.0, < 3.5.2	3.5.2	Feb 5, 2021	Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentia
CVE-2020-15187		—	>= 3.0.0, < 3.3.2	3.3.2	Sep 17, 2020	In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attac
CVE-2020-15186		—	>= 3.0.0, < 3.3.2	3.3.2	Sep 17, 2020	In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm
CVE-2020-15185		—	>= 3.0.0, < 3.3.2	3.3.2	Sep 17, 2020	In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this at
CVE-2020-15184		—	>= 3.0.0, < 3.3.2	3.3.2	Sep 17, 2020	In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is

CVE-2026-35206MedApr 9, 2026
affected < 3.20.2fixed 3.20.2
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working di
CVE-2025-55198Aug 13, 2025
affected < 3.18.5fixed 3.18.5
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatt
CVE-2025-55199Aug 13, 2025
affected < 3.18.5fixed 3.18.5
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work
CVE-2025-53547Jul 8, 2025
affected >= 3.18.0-rc.1, < 3.18.4fixed 3.18.4
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo
CVE-2025-32386Apr 9, 2025
affected < 3.17.3fixed 3.17.3
Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to
CVE-2025-32387Apr 9, 2025
affected < 3.17.3fixed 3.17.3
Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.1
CVE-2019-25210Mar 3, 2024
affected >= 3.0.0, <= 3.14.2
An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this
CVE-2024-26147Feb 21, 2024
affected < 3.14.2fixed 3.14.2
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all m
CVE-2024-25620Feb 14, 2024
affected < 3.14.1fixed 3.14.1
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected direct
CVE-2023-25165Feb 8, 2023
affected >= 3.0.0, < 3.11.1fixed 3.11.1
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a D
CVE-2022-23526Dec 15, 2022
affected < 3.10.3fixed 3.10.3
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validati
CVE-2022-23525Dec 15, 2022
affected < 3.10.3fixed 3.10.3
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds r
CVE-2022-23524Dec 15, 2022
affected < 3.10.3fixed 3.10.3
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cann
CVE-2022-36055Sep 1, 2022
affected < 3.9.4fixed 3.9.4
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns str
CVE-2021-32690Jun 16, 2021
affected < 3.6.1fixed 3.6.1
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that H
CVE-2021-21303Feb 5, 2021
affected >= 3.0.0, < 3.5.2fixed 3.5.2
Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentia
CVE-2020-15187Sep 17, 2020
affected >= 3.0.0, < 3.3.2fixed 3.3.2
In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attac
CVE-2020-15186Sep 17, 2020
affected >= 3.0.0, < 3.3.2fixed 3.3.2
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm
CVE-2020-15185Sep 17, 2020
affected >= 3.0.0, < 3.3.2fixed 3.3.2
In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this at
CVE-2020-15184Sep 17, 2020
affected >= 3.0.0, < 3.3.2fixed 3.3.2
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is

Page 1 of 2