During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart.

### Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

### Specific Go Packages Affected
helm.sh/helm/v3/pkg/chartutil

### Workarounds

Manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.

Affected Packages

Go helm.sh/helm/v3

Affected versions: 3.0.0 (fixed in 3.3.2)

Go helm.sh/helm

Affected versions: 0 (fixed in 2.16.11)

Related CVEs

CVE-2020-15184

Key Information

GHSA ID

GHSA-9vp5-m38w-j776

Published

May 24, 2021 4:56 PM

Last Modified

October 2, 2023 12:24 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

helm.sh/helm/v3

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.