Helm Dependency Update Vulnerability: Crafted Chart.yaml Can Lead to Local Code Execution
2025-07-09
A vulnerability in Helm allows for local code execution through a carefully crafted Chart.yaml file and a symlinked Chart.lock file during dependency updates. Fields from Chart.yaml are written to Chart.lock during updates. If Chart.lock is symlinked to an executable file (e.g., bash.rc), updating dependencies writes the Chart.lock content to the symlinked file, leading to arbitrary code execution. Helm v3.18.4 patches this; upgrade and check for symlinked Chart.lock files.
Development
local code execution