Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 Go

Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

GHSA-9h84-qmv7-982p · BIT-helm-2025-55199 · CVE-2025-55199 · GO-2025-3887

Published · Modified

Description

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes