GHSA-9h84-qmv7-982p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9h84-qmv7-982p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-9h84-qmv7-982p/GHSA-9h84-qmv7-982p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9h84-qmv7-982p
- Aliases
- Downstream
- Related
- Published
- 2025-08-14T00:01:34Z
- Modified
- 2025-08-18T20:13:38.615797Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
- Details
-
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.
Impact
A malicious chart can point
$refin values.schema.json to a device (e.g./dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.Patches
This issue has been resolved in Helm v3.18.5.
Workarounds
Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of
$refpointing to/dev/zero.References
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
- Database specific
{ "github_reviewed_at": "2025-08-14T00:01:34Z", "severity": "MODERATE", "cwe_ids": [ "CWE-770" ], "nvd_published_at": "2025-08-14T00:15:27Z", "github_reviewed": true }- References
Affected packages
Go / helm.sh/helm/v3
Package
- Name
- helm.sh/helm/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/helm.sh/helm/v3