Code Execution Vulnerability in Helm Package Manager Affects Kubernetes Deployments
CVE-2025-53547

8.5HIGH

Key Information:

Vendor: Helm
Status: Helm
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-53547?

A critical vulnerability exists in Helm, a package manager for Kubernetes, prior to version 3.18.4. It allows for local code execution via a maliciously crafted Chart.yaml file linked to a Chart.lock file. When dependencies are updated, the fields in Chart.yaml can inadvertently carry over to the symlinked Chart.lock file, resulting in the execution of arbitrary commands if linked to executable files such as bash.rc or shell scripts. Although Helm issue warnings about symlinked files, it does not prevent execution, posing significant risks to Kubernetes environments. This vulnerability highlights the need for diligent sanitization of input files and proper version management.

Affected Version(s)

helm < 3.18.4

References

https://github.com/helm/helm/security/advisories/GHSA-557...

x_refsource_CONFIRM

https://github.com/helm/helm/commit/4b8e61093d8f579f1165c...

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jul 2, 2025