Update module helm.sh/helm/v3 to v3.18.5 [SECURITY] (main) #41156
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HadrienPatte
approved these changes
Aug 14, 2025
Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
d08e11d to
860528f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3.18.4->v3.18.5GitHub Vulnerability Alerts
CVE-2025-55199
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.
Impact
A malicious chart can point
$refin values.schema.json to a device (e.g./dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.Patches
This issue has been resolved in Helm v3.18.5.
Workarounds
Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of
$refpointing to/dev/zero.References
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
CVE-2025-55198
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.
Impact
There are two areas of YAML validation that were impacted. First, when a
Chart.yamlfile had anullmaintainer or thechildorparentof a dependenciesimport-valuescould be parsed as something other than a string,helm lintwould panic. Second, when anindex.yamlhad an empty entry in the list of chart versions Helm would panic on interactions with that repository.Patches
This issue has been resolved in Helm v3.18.5.
Workarounds
Ensure YAML files are formatted as Helm expects prior to processing them with Helm.
References
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
Release Notes
helm/helm (helm.sh/helm/v3)
v3.18.5: Helm v3.18.5Compare Source
Helm v3.18.5 is a security release. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Security Advisories
Installation and Upgrading
Download Helm v3.18.5. The common platform binaries are here:
The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash.What's Next
Changelog
7799b48(Matt Farina)dd8502f(Matt Farina)cb8595b(Robert Sirchia)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.