Security

SECURITY.md

Helm Security Reporting and Policy

The Helm project has a common process and policy that can be found here.

Path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory
GHSA-vmx8-mqv2-9gmg published Apr 9, 2026 by gjenkins8

High
Plugin verification fails open when `.prov` is missing, allowing unsigned plugin install
GHSA-q5jf-9vfq-h4h7 published Apr 9, 2026 by gjenkins8

Critical
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
GHSA-hr2v-4r36-88hr published Apr 9, 2026 by gjenkins8

Moderate
Incorrect YAML Content Leads To Panic
GHSA-f9f8-9pmf-xv68 published Aug 13, 2025 by robertsirc

Moderate
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
GHSA-9h84-qmv7-982p published Aug 13, 2025 by robertsirc

Moderate
Chart Dependency Updating With Malicious Chart.yaml Content And Symlink
GHSA-557j-xg8c-q2mm published Jul 8, 2025 by robertsirc

High
Specially Crafted JSON Schema Can Cause Stack Overflow
GHSA-5xqw-8hwv-wg92 published Apr 9, 2025 by robertsirc

Moderate
Specially Crafted Chart Archive Can Cause Out Of Memory Termination
GHSA-4hfp-h4cw-hj8p published Apr 9, 2025 by robertsirc

Moderate
Missing YAML Content Leads To Panic
GHSA-r53h-jv2g-vpx6 published Feb 21, 2024 by mattfarina

Moderate
Dependency management path traversal
GHSA-v53g-5gjp-272r published Feb 14, 2024 by mattfarina

Moderate

Learn more about advisories related to helm/helm in the GitHub Advisory Database