x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-f9f8-9pmf-xv68 #3888
Description
Advisory GHSA-f9f8-9pmf-xv68 references a vulnerability in the following Go modules:
| Module |
|---|
| helm.sh/helm |
| helm.sh/helm/v3 |
Description:
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.
Impact
There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository.
Patches
This issue has been resolved in Helm v3.18.5.
...
References:
- ADVISORY: GHSA-f9f8-9pmf-xv68
- ADVISORY: GHSA-f9f8-9pmf-xv68
- FIX: helm/helm@ec5f59e
Cross references:
- helm.sh/helm appears in 3 other report(s):
- data/reports/GO-2023-1938.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-p5pc-m4q7-7qm9 #1938)
- data/reports/GO-2023-1948.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-xrxm-mvqm-r553 #1948)
- data/reports/GO-2023-1993.yaml (x/vulndb: potential Go vuln in helm.sh/helm: GHSA-x6r5-vxfg-gq3v #1993)
- helm.sh/helm/v3 appears in 19 other report(s):
- data/excluded/GO-2022-0817.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/chartutil: GHSA-9vp5-m38w-j776 #817) NOT_IMPORTABLE
- data/excluded/GO-2022-0820.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin: GHSA-c52f-pq47-2r9j #820) NOT_IMPORTABLE
- data/excluded/GO-2022-0851.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/repo: GHSA-jm56-5h66-w453 #851) NOT_IMPORTABLE
- data/excluded/GO-2022-0856.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin: GHSA-m54r-vrmv-hw33 #856) NOT_IMPORTABLE
- data/excluded/GO-2022-0864.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-q8q8-93cv-v6h8 #864) NOT_IMPORTABLE
- data/excluded/GO-2022-0868.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3/pkg/plugin/installer: GHSA-qq3j-xp49-j73f #868) NOT_IMPORTABLE
- data/excluded/GO-2024-2607.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-jw44-4f3j-q396 #2607) NOT_A_VULNERABILITY
- data/reports/GO-2022-0384.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-56hp-xqp3-w2jf #384)
- data/reports/GO-2022-0962.yaml (x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2022-36055 #962)
- data/reports/GO-2022-1040.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-c38g-469g-cmgx #1040)
- data/reports/GO-2022-1165.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-53c4-hhmh-vw5q #1165)
- data/reports/GO-2022-1166.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-67fx-wx78-jx33 #1166)
- data/reports/GO-2022-1167.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-6rx9-889q-vv2r #1167)
- data/reports/GO-2023-1547.yaml (x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2023-25165 #1547)
- data/reports/GO-2024-2554.yaml (x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2024-25620 #2554)
- data/reports/GO-2024-2575.yaml (x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2024-26147 #2575)
- data/reports/GO-2025-3601.yaml (x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2025-32386 #3601)
- data/reports/GO-2025-3602.yaml (x/vulndb: potential Go vuln in github.com/helm/helm: CVE-2025-32387 #3602)
- data/reports/GO-2025-3802.yaml (x/vulndb: potential Go vuln in helm.sh/helm/v3: GHSA-557j-xg8c-q2mm #3802)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: helm.sh/helm
vulnerable_at: 2.17.0+incompatible
- module: helm.sh/helm/v3
vulnerable_at: 3.18.5
summary: Helm May Panic Due To Incorrect YAML Content in helm.sh/helm
cves:
- CVE-2025-55198
ghsas:
- GHSA-f9f8-9pmf-xv68
references:
- advisory: https://github.com/advisories/GHSA-f9f8-9pmf-xv68
- advisory: https://github.com/helm/helm/security/advisories/GHSA-f9f8-9pmf-xv68
- fix: https://github.com/helm/helm/commit/ec5f59e2db56533d042a124f5bae54dd87b558e6
source:
id: GHSA-f9f8-9pmf-xv68
created: 2025-08-14T01:01:20.324405075Z
review_status: UNREVIEWED