Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-v53g-5gjp-272r

GitHub Security Advisory

Helm dependency management path traversal

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.

### Impact

When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.

### Patches

This issue has been resolved in Helm v3.14.1.

### Workarounds

Check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.

### Credits

Disclosed by Dominykas Blyžė at Nearform Ltd.

Affected Packages

Go helm.sh/helm/v3
Affected versions: 0 (fixed in 3.14.1)

Related CVEs

CVE-2024-25620

Key Information

GHSA ID
GHSA-v53g-5gjp-272r
Published
February 15, 2024 3:34 PM
Last Modified
February 15, 2024 3:34 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
helm.sh/helm/v3
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 1, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.