CVE-2025-53547: Helm vulnerable to Code Injection through malicious chart.yaml content

July 8, 2025 (updated July 16, 2025)

A Helm contributor discovered that a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated.

References

github.com/advisories/GHSA-557j-xg8c-q2mm
github.com/helm/helm
github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571
github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm
news.ycombinator.com/item?id=44506696
nvd.nist.gov/vuln/detail/CVE-2025-53547

Code Behaviors & Features

Detect and mitigate CVE-2025-53547 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →