Wiz
Vulnerability DatabaseCVE-2025-53547

CVE-2025-53547
Helm vulnerability analysis and mitigation

Overview

Helm, a package manager for Kubernetes Charts, disclosed a high-severity vulnerability (CVE-2025-53547) affecting versions 3.18.3 and below, as well as versions 3.18.0 through 3.18.3. The vulnerability allows local code execution through a specially crafted Chart.yaml file combined with a specially linked Chart.lock file when updating dependencies. This security flaw was discovered by Jakub Ciolek at AlphaSense and has been assigned a CVSS score of 8.5 (GitHub Advisory).

Technical details

The vulnerability stems from how Helm processes chart metadata during dependency updates. When dependencies are updated, fields from the Chart.yaml file are carried over to the Chart.lock file. If an attacker crafts malicious content in the Chart.yaml file and creates a symlink from Chart.lock to a sensitive executable file (such as .bashrc or a shell script), the update process will write the attacker-controlled content to the symlinked file. The vulnerability specifically affects the helm dependency update command and the Helm SDK when the Manager in the downloader package performs a dependency update (Security Online).

Impact

The vulnerability can lead to local code execution in the user's environment, which is particularly dangerous for developers using Helm as part of automated DevOps pipelines or CI/CD tooling. When exploited, it allows attackers to write arbitrary content to sensitive files through symlink manipulation, potentially leading to code execution when the targeted file is next used (Security Online).

Mitigation and workarounds

The vulnerability has been patched in Helm version 3.18.4. In the patched version, Helm no longer follows symbolic links when writing the Chart.lock file, mitigating the possibility of unintentional execution. As a workaround for unpatched versions, users should ensure the Chart.lock file in a chart is not a symlink prior to updating dependencies (GitHub Advisory).

Community reactions

The vulnerability has generated significant discussion in the security community, particularly regarding the security implications of package management systems and the potential risks of dependency updates. The issue has highlighted the importance of proper file handling and symlink validation in package managers (HN Discussion).

Additional resources

SourceThis report was generated using AI

Related Helm vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-53547HIGH8.6
  • HelmHelm
  • helm
NoYesJul 08, 2025
CVE-2025-47907HIGH7
  • DockerDocker
  • kubernetes-csi-external-provisioner
NoYesAug 07, 2025
CVE-2025-4673MEDIUM6.8
  • DockerDocker
  • golang-1.19
NoYesJun 11, 2025
CVE-2025-55199MEDIUM6.5
  • HelmHelm
  • chartmuseum-fips
NoYesAug 14, 2025
CVE-2025-55198MEDIUM6.5
  • HelmHelm
  • consul-k8s-fips-1.6
NoYesAug 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo