Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN513 _____________________________________________________________________ DATE : 14/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running helm versions prior to 3.18.5. ===================================================================== https://github.com/helm/helm/security/advisories/GHSA-f9f8-9pmf-xv68 https://github.com/helm/helm/security/advisories/GHSA-9h84-qmv7-982p _____________________________________________________________________ Incorrect YAML Content Leads To Panic Moderate robertsirc published GHSA-f9f8-9pmf-xv68 Aug 13, 2025 Package helm.sh/helm/v3 (Go) Affected versions <= 3.18.4 Patched versions 3.18.5 Description A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic. Impact There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository. Patches This issue has been resolved in Helm v3.18.5. Workarounds Ensure YAML files are formatted as Helm expects prior to processing them with Helm. References Helm's security policy is spelled out in detail in our SECURITY document. Credits Disclosed by Jakub Ciolek at AlphaSense. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE ID CVE-2025-55198 Weaknesses Weakness CWE-1287 Credits @jake-ciolek jake-ciolek Reporter _____________________________________________________________________ Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion Moderate robertsirc published GHSA-9h84-qmv7-982p Aug 13, 2025 Package helm.sh/helm/v3 (Go) Affected versions <= 3.18.4 Patched versions 3.18.5 Description A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. Impact A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination. Patches This issue has been resolved in Helm v3.18.5. Workarounds Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero. References Helm's security policy is spelled out in detail in our SECURITY document. Credits Disclosed by Jakub Ciolek at AlphaSense. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE ID CVE-2025-55199 Weaknesses No CWEs Credits @jake-ciolek jake-ciolek Finder ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================