Aliases are never checked in helm

GHSA-9vp5-m38w-j776 · BIT-helm-2020-15184 · CVE-2020-15184

Published May 24, 2021 · Modified Mar 13, 2026

Description

Impact

During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the alias field on a Chart.yaml is not properly sanitized. This could lead to the injection of unwanted information into a chart.

Patches

This issue has been patched in Helm 3.3.2 and 2.16.11

Specific Go Packages Affected

helm.sh/helm/v3/pkg/chartutil

Workarounds

Manually review the dependencies field of any untrusted chart, verifying that the alias field is either not used, or (if used) does not contain newlines or path characters.

References

WEB https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-15184
WEB https://github.com/helm/helm/commit/6aab63765f99050b115f0aec3d6350c85e8da946
WEB https://github.com/helm/helm/commit/e7c281564d8306e1dcf8023d97f972449ad74850
PACKAGE https://github.com/helm/helm

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes