CVE-2024-25620: 
Helm vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-25620) was discovered in Helm, a tool for managing Kubernetes resource packages called Charts. The vulnerability was disclosed on February 14, 2024, affecting all versions of Helm prior to 3.14.1. The issue occurs when either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change (Helm Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 6.4 (Medium). When processing charts, the validation and linting mechanisms failed to detect path changes in the name field of Chart.yaml, allowing charts to be saved outside their expected directory based on the relative path changes. This affects both the Helm client and SDK implementations (NVD).

When exploited, this vulnerability allows a chart to be saved outside its intended directory structure, potentially leading to unauthorized file system access and manipulation. This could affect the integrity of the chart management system and potentially lead to security issues in the deployment pipeline (Helm Advisory).

The vulnerability has been patched in Helm version 3.14.1. For users unable to upgrade immediately, it is recommended to check all charts used by Helm for path changes in their name as found in the Chart.yaml file, including dependencies. This validation should be performed before using any chart (Helm Advisory).

The vulnerability was responsibly disclosed by Dominykas Blyžė at Nearform Ltd. Multiple vendors have acknowledged the vulnerability and are releasing updates to their products that include Helm, including Red Hat which has issued security advisories for affected products (Red Hat Advisory).