GHSA-5xqw-8hwv-wg92
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5xqw-8hwv-wg92
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-5xqw-8hwv-wg92/GHSA-5xqw-8hwv-wg92.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5xqw-8hwv-wg92
- Aliases
- Related
- Published
- 2025-04-10T13:48:31Z
- Modified
- 2025-04-11T19:57:05.654343Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow
- Details
-
A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.
Impact
A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow.
Patches
This issue has been resolved in Helm v3.17.3.
Workarounds
Ensure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.
For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
- Database specific
{ "nvd_published_at": "2025-04-09T23:15:37Z", "cwe_ids": [ "CWE-121", "CWE-674" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-10T13:48:31Z" }- References
Affected packages
Go / helm.sh/helm/v3
Package
- Name
- helm.sh/helm/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/helm.sh/helm/v3