Bug 2378905 (CVE-2025-53547)

Summary: CVE-2025-53547 helm.sh/helm/v3: Helm Chart Code Execution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, alcohan, anjoseph, brainfor, dfreiber, drow, dward, gparvin, jbalunas, jburrell, jkoehler, jprabhak, jwendell, kshier, ldai, lphiri, lsharar, lucarval, njean, oblaut, omaciel, owatkins, pahickey, rcernich, rhaigner, rjohnson, stcannon, vkumar, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A command injection vulnerability has been identified in Helm, a package manager for Kubernetes. An attacker can craft a malicious Chart.yaml file with specially linked dependencies in a Chart.lock file. If the Chart.lock file is a symbolic link to an executable file, such as a shell script, and a user attempts to update the dependencies, the crafted content is written to the symlinked file and executed. This can lead to local code execution on the system. This issue has been patched in Helm version 3.18.4, and users should update to this version to mitigate the risk.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-08 22:01:40 UTC 
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.
Comment 2 errata-xmlrpc 2025-09-17 16:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9

Via RHSA-2025:16113 https://access.redhat.com/errata/RHSA-2025:16113