CVE-2025-53547Code Injection in Helm

CWE-94Code Injection9 documents7 sources
Severity
8.6HIGHNVD
CNA8.5
EPSS
0.0%
top 99.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
HelmHelm.sh Helm V3
Timeline
PublishedJul 8
Latest updateJan 15

Description

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.l

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages3 packages

CVEListV5helm/helm< 3.18.4
NVDhelm/helm3.18.03.18.4+1
Gohelm.sh/helm_v33.18.0-rc.13.18.4+2

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm2025-07-21
GHSA
Helm vulnerable to Code Injection through malicious chart.yaml content2025-07-08
OSV
Helm vulnerable to Code Injection through malicious chart.yaml content2025-07-08
CVEList
Helm Chart Dependency Updating With Malicious Chart.yaml Content And Symlink Can Lead To Code Execution2025-07-08

📋Vendor Advisories

4
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Siebel Cloud Manager (Helm) — CVE-2025-535472026-01-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Helm) — CVE-2025-535472025-10-15
Red Hat
helm.sh/helm/v3: Helm Chart Code Execution2025-07-08
Microsoft
Helm Chart Dependency Updating With Malicious Chart.yaml Content And Symlink Can Lead To Code Execution2025-07-08
CVE-2025-53547 — Code Injection in Helm | cvebase