During a security audit of Helm's code base, Helm maintainers identified a bug in which a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack.

To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection).

### Patches

This issue has been patched in Helm 2.16.11 and Helm 3.3.2.

### Workarounds

Make sure to install plugins using a secure connection protocol like SSL.

Affected Packages

Go helm.sh/helm/v3

Affected versions: 3.0.0 (fixed in 3.3.2)

Go helm.sh/helm

Affected versions: 2.0.0 (fixed in 2.16.11)

Related CVEs

CVE-2020-15187

Key Information

GHSA ID

GHSA-c52f-pq47-2r9j

Published

May 24, 2021 4:57 PM

Last Modified

May 29, 2025 10:59 PM

CVSS Score

2.5 /10

Primary Ecosystem

Primary Package

helm.sh/helm/v3

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.